pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
import 7.1p1 from pkgsrc
Module Name: pkgsrc-wip
Committed By: coypu <coypu%sdf.org@localhost>
Pushed By: coypu
Date: Thu Mar 10 15:02:17 2016 +0200
Changeset: 03c0e0fe337d55be9c1ef59e8b598deb3fd4f4de
Added Files:
openssh/DESCR
openssh/INSTALL
openssh/MESSAGE.Interix
openssh/MESSAGE.pam
openssh/MESSAGE.urandom
openssh/Makefile
openssh/PLIST
openssh/distinfo
openssh/files/org.openssh.sshd.sb.in
openssh/files/smf/manifest.xml
openssh/files/smf/sshd.sh
openssh/files/sshd.sh
openssh/options.mk
openssh/patches/patch-Makefile.in
openssh/patches/patch-auth-passwd.c
openssh/patches/patch-auth-rhosts.c
openssh/patches/patch-auth.c
openssh/patches/patch-auth1.c
openssh/patches/patch-auth2.c
openssh/patches/patch-channels.c
openssh/patches/patch-clientloop.c
openssh/patches/patch-config.h.in
openssh/patches/patch-configure.ac
openssh/patches/patch-defines.h
openssh/patches/patch-includes.h
openssh/patches/patch-loginrec.c
openssh/patches/patch-openbsd-compat_bsd-openpty.c
openssh/patches/patch-openbsd-compat_openbsd-compat.h
openssh/patches/patch-openbsd-compat_port-tun.c
openssh/patches/patch-packet.c
openssh/patches/patch-platform.c
openssh/patches/patch-readconf.c
openssh/patches/patch-sandbox-darwin.c
openssh/patches/patch-scp.c
openssh/patches/patch-session.c
openssh/patches/patch-sftp-common.c
openssh/patches/patch-ssh.c
openssh/patches/patch-sshd.8
openssh/patches/patch-sshd.c
openssh/patches/patch-sshpty.c
openssh/patches/patch-uidswap.c
Log Message:
import 7.1p1 from pkgsrc
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=03c0e0fe337d55be9c1ef59e8b598deb3fd4f4de
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
openssh/DESCR | 14 ++
openssh/INSTALL | 36 ++++
openssh/MESSAGE.Interix | 20 ++
openssh/MESSAGE.pam | 9 +
openssh/MESSAGE.urandom | 8 +
openssh/Makefile | 214 +++++++++++++++++++++
openssh/PLIST | 35 ++++
openssh/distinfo | 37 ++++
openssh/files/org.openssh.sshd.sb.in | 23 +++
openssh/files/smf/manifest.xml | 47 +++++
openssh/files/smf/sshd.sh | 68 +++++++
openssh/files/sshd.sh | 115 +++++++++++
openssh/options.mk | 34 ++++
openssh/patches/patch-Makefile.in | 27 +++
openssh/patches/patch-auth-passwd.c | 28 +++
openssh/patches/patch-auth-rhosts.c | 33 ++++
openssh/patches/patch-auth.c | 27 +++
openssh/patches/patch-auth1.c | 26 +++
openssh/patches/patch-auth2.c | 15 ++
openssh/patches/patch-channels.c | 51 +++++
openssh/patches/patch-clientloop.c | 63 ++++++
openssh/patches/patch-config.h.in | 37 ++++
openssh/patches/patch-configure.ac | 141 ++++++++++++++
openssh/patches/patch-defines.h | 47 +++++
openssh/patches/patch-includes.h | 17 ++
openssh/patches/patch-loginrec.c | 68 +++++++
openssh/patches/patch-openbsd-compat_bsd-openpty.c | 26 +++
.../patches/patch-openbsd-compat_openbsd-compat.h | 17 ++
openssh/patches/patch-openbsd-compat_port-tun.c | 40 ++++
openssh/patches/patch-packet.c | 16 ++
openssh/patches/patch-platform.c | 16 ++
openssh/patches/patch-readconf.c | 25 +++
openssh/patches/patch-sandbox-darwin.c | 23 +++
openssh/patches/patch-scp.c | 39 ++++
openssh/patches/patch-session.c | 66 +++++++
openssh/patches/patch-sftp-common.c | 16 ++
openssh/patches/patch-ssh.c | 26 +++
openssh/patches/patch-sshd.8 | 27 +++
openssh/patches/patch-sshd.c | 136 +++++++++++++
openssh/patches/patch-sshpty.c | 24 +++
openssh/patches/patch-uidswap.c | 76 ++++++++
41 files changed, 1813 insertions(+)
diffs:
diff --git a/openssh/DESCR b/openssh/DESCR
new file mode 100644
index 0000000..764ae7f
--- /dev/null
+++ b/openssh/DESCR
@@ -0,0 +1,14 @@
+OpenSSH is based on the last free version of Tatu Ylonen's SSH with
+all patent-encumbered algorithms removed (to external libraries), all
+known security bugs fixed, new features reintroduced and many other
+clean-ups. More information about SSH itself can be found in the file
+README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
+Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
+
+This port consists of the re-introduction of autoconf support, PAM
+support (for Linux and Solaris), EGD[1] support, SOCKS support (using
+the Dante [6] libraries and replacements for OpenBSD library functions
+that are (regrettably) absent from other unices. This port has been
+best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
+SCO, NeXT and other Unices is underway. This version actively tracks
+changes in the OpenBSD CVS repository.
diff --git a/openssh/INSTALL b/openssh/INSTALL
new file mode 100644
index 0000000..8b8d1d3
--- /dev/null
+++ b/openssh/INSTALL
@@ -0,0 +1,36 @@
+# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
+
+DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
+FILES="sshd.conf sshd_config"
+
+case ${STAGE} in
+POST-INSTALL)
+ for dir in $DIRS; do
+ if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
+ for file in $FILES; do
+ path=$dir/$file
+ if [ -f $path ]; then
+ ${CAT} <<EOF
+===========================================================================
+
+ *===* NOTICE *===*
+
+WARNING: previous configuration file $path found.
+
+The config files for ${PKGNAME} must be located in:
+
+ @PKG_SYSCONFDIR@
+
+You will need to ensure your configuration files and/or keys are
+placed in the correct directory before using ${PKGNAME}.
+
+===========================================================================
+EOF
+
+ exit
+ fi
+ done
+ fi
+ done
+ ;;
+esac
diff --git a/openssh/MESSAGE.Interix b/openssh/MESSAGE.Interix
new file mode 100644
index 0000000..ee57d65
--- /dev/null
+++ b/openssh/MESSAGE.Interix
@@ -0,0 +1,20 @@
+===========================================================================
+$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
+
+OpenSSH on Interix has some important caveats:
+
+* Hostname resolution uses the BIND resolver library rather than Windows
+ native lookup services. This requires that /etc/resolv.conf be set up
+ properly with a "nameserver" line; see resolv.conf(5). In most
+ installations, this was generated automatically when Services for UNIX
+ was installed (based on the name server in use at that time).
+
+* Currently, UsePrivilegeSeparation does not work properly, so it defaults
+ to "no" on Interix.
+
+* Network drives and encrypted local files may not be accessible after
+ logging in through sshd thanks to the way the Windows security API works.
+ A workaround is to "exec su USERNAME" after logging in, which will use
+ the password to create a proper Windows access credential key.
+
+===========================================================================
diff --git a/openssh/MESSAGE.pam b/openssh/MESSAGE.pam
new file mode 100644
index 0000000..e111287
--- /dev/null
+++ b/openssh/MESSAGE.pam
@@ -0,0 +1,9 @@
+===========================================================================
+$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
+
+To authenticate for SSH using PAM, add the contents of the file:
+
+ ${EGDIR}/sshd.pam
+
+to your PAM configuration file (or PAM configuration directory).
+===========================================================================
diff --git a/openssh/MESSAGE.urandom b/openssh/MESSAGE.urandom
new file mode 100644
index 0000000..5264198
--- /dev/null
+++ b/openssh/MESSAGE.urandom
@@ -0,0 +1,8 @@
+===========================================================================
+$NetBSD: MESSAGE.urandom,v 1.1 2002/02/05 04:17:31 jlam Exp $
+
+You will need a working /dev/urandom. Please make sure you have a kernel
+compiled from a config file containing the line:
+
+ pseudo-device rnd
+===========================================================================
diff --git a/openssh/Makefile b/openssh/Makefile
new file mode 100644
index 0000000..9a2378d
--- /dev/null
+++ b/openssh/Makefile
@@ -0,0 +1,214 @@
+# $NetBSD: Makefile,v 1.242 2016/03/05 11:29:23 jperkin Exp $
+
+DISTNAME= openssh-7.1p1
+PKGNAME= ${DISTNAME:S/p1/.1/}
+PKGREVISION= 4
+CATEGORIES= security
+MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
+
+MAINTAINER= pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE= http://www.openssh.com/
+COMMENT= Open Source Secure shell client and server (remote login program)
+
+CONFLICTS= sftp-[0-9]*
+CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
+CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
+CONFLICTS+= openssh+gssapi-[0-9]*
+CONFLICTS+= lsh>2.0
+BROKEN_FOR_PLATFORM+= OpenBSD-*-*
+
+USE_GCC_RUNTIME= yes
+USE_TOOLS+= autoconf perl
+
+CRYPTO= yes
+
+# retain the following line, for IPv6-ready pkgsrc webpage
+BUILD_DEFS+= IPV6_READY
+
+PKG_GROUPS_VARS+= OPENSSH_GROUP
+PKG_USERS_VARS+= OPENSSH_USER
+BUILD_DEFS+= OPENSSH_CHROOT
+BUILD_DEFS+= VARBASE
+
+INSTALL_TARGET= install-nokeys
+
+.include "options.mk"
+
+# fixes: dyld: Symbol not found: _allow_severity
+CONFIGURE_ARGS.Darwin+= --disable-strip
+
+# OpenSSH on Interix has some important caveats
+.if ${OPSYS} == "Interix"
+MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
+CONFIGURE_ENV+= ac_cv_func_openpty=no
+CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
+CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
+.if exists(/usr/local/include/bind/resolv.h)
+CPPFLAGS+= -I/usr/local/include/bind
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
+.elif exists(/usr/local/bind/include/resolv.h)
+CPPFLAGS+= -I/usr/local/bind/include
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
+.endif
+LDFLAGS+= -L/usr/local/lib/bind
+LIBS+= -lbind -ldb -lcrypt
+
+.else # not Interix
+
+PKG_GROUPS= ${OPENSSH_GROUP}
+PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
+
+PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
+PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
+
+.endif
+
+SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
+
+PKG_SYSCONFSUBDIR= ssh
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --with-mantype=man
+CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q}
+CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR:Q}
+CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
+CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
+
+.if ${OPSYS} != "Interix"
+CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
+CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER:Q}
+.endif
+
+# pkgsrc already enforces a "secure" version of zlib via dependencies,
+# so skip this bogus version check.
+CONFIGURE_ARGS+= --without-zlib-version-check
+
+# the openssh configure script finds and uses ${LD} if defined and
+# defaults to ${CC} if not. we override LD here, since running the
+# linker directly results in undefined symbols for obvious reasons.
+#
+CONFIGURE_ENV+= LD=${CC:Q}
+
+# Enable S/Key support on NetBSD, Darwin, and Solaris.
+.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
+. include "../../security/skey/buildlink3.mk"
+CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
+.else
+CONFIGURE_ARGS+= --without-skey
+.endif
+
+.if (${OPSYS} == "NetBSD")
+. if exists(/usr/include/utmpx.h)
+# if we have utmpx et al do not try to use login()
+CONFIGURE_ARGS+= --disable-libutil
+. endif
+#
+# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
+# prior version don't have it. So, disable use of strnvis(3) now.
+#
+CONFIGURE_ENV+= ac_cv_func_strnvis=no
+.endif
+
+.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
+CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
+.endif
+
+CONFIGURE_ARGS.Linux+= --enable-md5-password
+
+# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
+# on if it's part of the X11 distribution, or if it's installed from pkgsrc
+# (security/ssh-askpass).
+#
+.if exists(${X11BASE}/bin/ssh-askpass)
+ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
+.else
+ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass
+.endif
+CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+
+# do the same for xauth
+.if exists(${X11BASE}/bin/xauth)
+CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
+.else
+CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth
+.endif
+
+CONFS= ssh_config sshd_config moduli
+
+PLIST_VARS+= darwin prng
+
+.if exists(/dev/urandom)
+. if ${OPSYS} == "NetBSD"
+MESSAGE_SRC+= ${.CURDIR}/MESSAGE.urandom
+. endif
+.else
+CONFIGURE_ARGS+= --without-random
+CONFS+= ssh_prng_cmds
+PLIST.prng= yes
+.endif
+
+EGDIR= ${PREFIX}/share/examples/${PKGBASE}
+
+# enable privsep patches
+.if ${OPSYS} == "Darwin"
+CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
+CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__
+PLIST.darwin= yes
+.endif
+
+.for f in ${CONFS}
+CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
+.endfor
+OWN_DIRS= ${OPENSSH_CHROOT}
+RCD_SCRIPTS= sshd
+RCD_SCRIPT_SRC.sshd= ${WRKDIR}/sshd.sh
+SMF_METHODS= sshd
+
+FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q}
+
+SUBST_CLASSES+= patch
+SUBST_STAGE.patch= pre-configure
+SUBST_FILES.patch= session.c sandbox-darwin.c
+SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
+SUBST_VARS.patch= PKG_SYSCONFDIR
+
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
+.include "../../security/tcp_wrappers/buildlink3.mk"
+
+#
+# type of key "ecdsa" isn't always supported depends on OpenSSL.
+#
+pre-configure:
+ cd ${WRKSRC} && autoconf -i
+
+post-configure:
+ if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \
+ ${WRKSRC}/config.h; then \
+ ${SED} -e '/HAVE_ECDSA/s/.*//' \
+ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+ else \
+ ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
+ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+ fi
+ ${SED} -e 's,@VARBASE@,${VARBASE:Q},g' \
+ < ${FILESDIR}/org.openssh.sshd.sb.in \
+ > ${WRKDIR}/org.openssh.sshd.sb
+
+post-install:
+ ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
+ cd ${WRKSRC}; for file in ${CONFS}; do \
+ ${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
+ done
+.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
+ ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
+ ${DESTDIR}${EGDIR}/sshd.pam
+.endif
+.if ${OPSYS} == "Darwin"
+ ${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
+ ${DESTDIR}${EGDIR}/org.openssh.sshd.sb
+.endif
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/openssh/PLIST b/openssh/PLIST
new file mode 100644
index 0000000..ebe150a
--- /dev/null
+++ b/openssh/PLIST
@@ -0,0 +1,35 @@
+@comment $NetBSD: PLIST,v 1.17 2015/08/14 08:57:00 jperkin Exp $
+bin/scp
+bin/sftp
+bin/slogin
+bin/ssh
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-keygen
+bin/ssh-keyscan
+libexec/sftp-server
+libexec/ssh-keysign
+libexec/ssh-pkcs11-helper
+${PLIST.prng}libexec/ssh-rand-helper
+man/man1/scp.1
+man/man1/sftp.1
+man/man1/slogin.1
+man/man1/ssh-add.1
+man/man1/ssh-agent.1
+man/man1/ssh-keygen.1
+man/man1/ssh-keyscan.1
+man/man1/ssh.1
+man/man5/moduli.5
+man/man5/ssh_config.5
+man/man5/sshd_config.5
+man/man8/sftp-server.8
+man/man8/ssh-keysign.8
+man/man8/ssh-pkcs11-helper.8
+man/man8/sshd.8
+sbin/sshd
+share/examples/openssh/moduli
+${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
+share/examples/openssh/ssh_config
+${PLIST.prng}share/examples/openssh/ssh_prng_cmds
+${PLIST.pam}share/examples/openssh/sshd.pam
+share/examples/openssh/sshd_config
diff --git a/openssh/distinfo b/openssh/distinfo
new file mode 100644
index 0000000..747daee
--- /dev/null
+++ b/openssh/distinfo
@@ -0,0 +1,37 @@
+$NetBSD: distinfo,v 1.99 2016/02/26 21:06:38 tez Exp $
+
+SHA1 (openssh-7.1p1-hpn-20150822.diff.bz2) = 444a2fbd80d57ff93b53ade84ec162e2a2f3aa67
+RMD160 (openssh-7.1p1-hpn-20150822.diff.bz2) = 87fb6887d9ccb4b305ff3c25fd5f67847d9996d1
+Size (openssh-7.1p1-hpn-20150822.diff.bz2) = 12173 bytes
+SHA1 (openssh-7.1p1.tar.gz) = ed22af19f962262c493fcc6ed8c8826b2761d9b6
+RMD160 (openssh-7.1p1.tar.gz) = 2c97ea10099fa8658156c0351d60d715655b9b07
+SHA512 (openssh-7.1p1.tar.gz) = f1491ca5a0a733eb27ede966590642a412cb7be7178dcb7b9e5844bbdc8383032f4b00435192b95fc0365b6fe74d6c5ac8d6facbe9d51e1532d049e2f784e8f7
+Size (openssh-7.1p1.tar.gz) = 1493170 bytes
+SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
+SHA1 (patch-auth-passwd.c) = 92c487cc3c092efb56f8b4ac4ca08ccd67803a83
+SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
+SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
+SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374
+SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
+SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
+SHA1 (patch-clientloop.c) = a99fa9ff36e0068c059ee9daa392d06c01d1761c
+SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
+SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
+SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
+SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
+SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = eaac72830e36e307c19a7b679e6018ece9aebaac
+SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
+SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee
+SHA1 (patch-packet.c) = d302a0802861287e9a5230bbe2a1018c5dc17d28
+SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
+SHA1 (patch-readconf.c) = e1663d4d9a7ca8de8f87ba42d7b764923cdcc5db
+SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
+SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
+SHA1 (patch-session.c) = 2aa1d95a35b52519c4921494855f861dc1380f3b
+SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
+SHA1 (patch-ssh.c) = 00897c09b7d3037713c579cbc41301623d4c2ebf
+SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
+SHA1 (patch-sshd.c) = 85a9f50c8b1bdcc44156e2b457a583ccdbc5821b
+SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
+SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e
diff --git a/openssh/files/org.openssh.sshd.sb.in b/openssh/files/org.openssh.sshd.sb.in
new file mode 100644
index 0000000..e060377
--- /dev/null
+++ b/openssh/files/org.openssh.sshd.sb.in
@@ -0,0 +1,23 @@
+;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
+;;
+;; Copyright (c) 2008 Apple Inc. All Rights reserved.
+;;
+;; sshd - profile for privilege separated children
+;;
+;; WARNING: The sandbox rules in this file currently constitute
+;; Apple System Private Interface and are subject to change at any time and
+;; without notice.
+;;
+
+(version 1)
+
+(deny default)
+
+(allow file-chroot)
+(allow file-read-metadata (literal "@VARBASE@"))
+
+(allow sysctl-read)
+(allow mach-per-user-lookup)
+(allow mach-lookup
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.system.logger"))
diff --git a/openssh/files/smf/manifest.xml b/openssh/files/smf/manifest.xml
new file mode 100644
index 0000000..4bd43a9
--- /dev/null
+++ b/openssh/files/smf/manifest.xml
@@ -0,0 +1,47 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='@SMF_NAME@'>
+ <service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
+ <create_default_instance enabled='false'/>
+ <single_instance/>
+ <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/filesystem/local'/>
+ </dependency>
+ <dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/network/loopback'/>
+ </dependency>
+ <dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/network/physical'/>
+ </dependency>
+ <dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/cryptosvc'/>
+ </dependency>
+ <dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/utmp'/>
+ </dependency>
+ <dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
+ <service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
+ </dependency>
+ <dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
+ <service_fmri value='svc:/milestone/multi-user-server'/>
+ </dependent>
+ <exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
+ <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+ <exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
+ <property_group name='general' type='framework'>
+ <property name='action_authorization' type='astring'/>
+ </property_group>
+ <property_group name='startd' type='framework'>
+ <propval name='ignore_error' type='astring' value='core,signal'/>
+ </property_group>
+ <stability value='Unstable'/>
+ <template>
+ <common_name>
+ <loctext xml:lang='C'>OpenSSH server</loctext>
+ </common_name>
+ <documentation>
+ <manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
+ </documentation>
+ </template>
+ </service>
+</service_bundle>
diff --git a/openssh/files/smf/sshd.sh b/openssh/files/smf/sshd.sh
new file mode 100644
index 0000000..0ab4819
--- /dev/null
+++ b/openssh/files/smf/sshd.sh
@@ -0,0 +1,68 @@
+#!@SMF_METHOD_SHELL@
+#
+# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+# Use is subject to license terms.
+#
+# ident "@(#)sshd 1.4 04/11/17 SMI"
+
+SSHDIR=@PKG_SYSCONFDIR@
+KEYGEN="@PREFIX@/bin/ssh-keygen -q"
+PIDFILE=@VARBASE@/run/sshd.pid
+
+# Checks to see if RSA, and DSA host keys are available
+# if any of these keys are not present, the respective keys are created.
+create_key()
+{
+ keypath=$1
+ keytype=$2
+
+ if [ ! -f $keypath ]; then
+ grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo Creating new $keytype public/private host key pair
+ $KEYGEN -f $keypath -t $keytype -N ''
+ return $?
+ fi
+ fi
+
+ return 0
+}
+
+# This script is being used for two purposes: as part of an SMF
+# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
+# application.
+#
+# Both, the SMF methods and sysidconfig/sys-unconfig use different
+# arguments..
+
+case $1 in
+ # sysidconfig/sys-unconfig arguments (-c and -u)
+'-c')
+ create_key $SSHDIR/ssh_host_rsa_key rsa
+ create_key $SSHDIR/ssh_host_dsa_key dsa
+ ;;
+
+'-u')
+ # sys-unconfig(1M) knows how to remove ssh host keys, so there's
+ # nothing to do here.
+ :
+ ;;
+
+ # SMF arguments (start and restart [really "refresh"])
+'start')
+ @PREFIX@/sbin/sshd
+ ;;
+
+'restart')
+ if [ -f "$PIDFILE" ]; then
+ /usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
+ fi
+ ;;
+
+*)
+ echo "Usage: $0 { start | restart }"
+ exit 1
+ ;;
+esac
+
+exit $?
diff --git a/openssh/files/sshd.sh b/openssh/files/sshd.sh
new file mode 100644
index 0000000..8493e04
--- /dev/null
+++ b/openssh/files/sshd.sh
@@ -0,0 +1,115 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
+#
+# PROVIDE: sshd
+# REQUIRE: DAEMON LOGIN
+
+if [ -f /etc/rc.subr ]
+then
+ . /etc/rc.subr
+fi
+
+name="sshd"
+rcvar=$name
+command="@PREFIX@/sbin/${name}"
+keygen_command="@PREFIX@/bin/ssh-keygen"
+pidfile="@SSH_PID_DIR@/${name}.pid"
+required_files="@PKG_SYSCONFDIR@/sshd_config"
+extra_commands="keygen reload"
+
+sshd_keygen()
+{
+ (
+ umask 022
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
+ @ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
+ @ECHO@ "Skipping protocol version 2 DSA Key Generation"
+ else
+ ${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
+ fi
+
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
+ @ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
+ @ECHO@ "Skipping protocol version 2 RSA Key Generation"
+ else
+ ${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
+ fi
+# HAVE_ECDSA_START
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
+ @ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
+ @ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
+ else
+ ${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
+ fi
+# HAVE_ECDSA_STOP
+# HAVE_ED25519_START
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+ @ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
+ @ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
+ else
+ ${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
+ fi
+# HAVE_ED25519_STOP
+ )
+}
+
+sshd_precmd()
+{
+ if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+ if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+ then
+ run_rc_command keygen
+ else
+ eval ${keygen_cmd}
+ fi
+ fi
+}
+
+keygen_cmd=sshd_keygen
+start_precmd=sshd_precmd
+
+if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+then
+ load_rc_config $name
+ run_rc_command "$1"
+else
+ case ${1:-start} in
+ start)
+ if [ -x ${command} -a -f ${required_files} ]
+ then
+ @ECHO@ "Starting ${name}."
+ eval ${start_precmd}
+ eval ${command} ${sshd_flags} ${command_args}
+ fi
+ ;;
+ stop)
+ if [ -f ${pidfile} ]; then
+ pid=`@HEAD@ -1 ${pidfile}`
+ @ECHO@ "Stopping ${name}."
+ kill -TERM ${pid}
+ else
+ @ECHO@ "${name} not running?"
+ fi
+ ;;
+ restart)
+ ( $0 stop )
+ sleep 1
+ $0 start
+ ;;
+ status)
+ if [ -f ${pidfile} ]; then
+ pid=`@HEAD@ -1 ${pidfile}`
+ @ECHO@ "${name} is running as pid ${pid}."
+ else
+ @ECHO@ "${name} is not running."
+ fi
+ ;;
+ keygen)
+ eval ${keygen_cmd}
+ ;;
+ esac
+fi
diff --git a/openssh/options.mk b/openssh/options.mk
new file mode 100644
index 0000000..1c4f9bc
--- /dev/null
+++ b/openssh/options.mk
@@ -0,0 +1,34 @@
+# $NetBSD: options.mk,v 1.31 2015/08/22 05:17:22 taca Exp $
+
+.include "../../mk/bsd.prefs.mk"
+
+PKG_OPTIONS_VAR= PKG_OPTIONS.openssh
+PKG_SUPPORTED_OPTIONS= kerberos hpn-patch pam
+
+.include "../../mk/bsd.options.mk"
+
+.if !empty(PKG_OPTIONS:Mkerberos)
+. include "../../mk/krb5.buildlink3.mk"
+CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q}
+. if ${KRB5_TYPE} == "mit-krb5"
+CONFIGURE_ENV+= ac_cv_search_k_hasafs=no
+. endif
+.endif
+
+.if !empty(PKG_OPTIONS:Mhpn-patch)
+PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
+PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
+PATCH_DIST_STRIP= -p1
+.endif
+
+PLIST_VARS+= pam
+
+.if !empty(PKG_OPTIONS:Mpam)
+.include "../../mk/pam.buildlink3.mk"
+CONFIGURE_ARGS+= --with-pam
+MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam
+MESSAGE_SUBST+= EGDIR=${EGDIR}
+.if ${OPSYS} == "Linux"
+PLIST.pam= yes
+.endif
+.endif
diff --git a/openssh/patches/patch-Makefile.in b/openssh/patches/patch-Makefile.in
new file mode 100644
index 0000000..f04cf0d
--- /dev/null
+++ b/openssh/patches/patch-Makefile.in
@@ -0,0 +1,27 @@
+$NetBSD: patch-Makefile.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Removed install-sysconf as we handle that phase through post-install
+
+--- Makefile.in.orig 2015-08-21 04:49:03.000000000 +0000
++++ Makefile.in
+@@ -2,5 +2,5 @@
+
+ # uncomment if you run a non bourne compatable shell. Ie. csh
+-#SHELL = @SH@
++SHELL = @SH@
+
+ AUTORECONF=autoreconf
+@@ -23,5 +23,5 @@ DESTDIR=
+ VPATH=@srcdir@
+ SSH_PROGRAM=@bindir@/ssh
+-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
++#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+@@ -288,5 +288,5 @@ distprep: catman-do
+
+ install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
++install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+
diff --git a/openssh/patches/patch-auth-passwd.c b/openssh/patches/patch-auth-passwd.c
new file mode 100644
index 0000000..4cc6a05
--- /dev/null
+++ b/openssh/patches/patch-auth-passwd.c
@@ -0,0 +1,28 @@
+$NetBSD: patch-auth-passwd.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-passwd.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ auth-passwd.c
+@@ -88,7 +88,7 @@ auth_password(Authctxt *authctxt, const
+ #endif
+
+ #ifndef HAVE_CYGWIN
+- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
++ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
+ ok = 0;
+ #endif
+ if (*password == '\0' && options.permit_empty_passwd == 0)
+@@ -123,7 +123,12 @@ auth_password(Authctxt *authctxt, const
+ authctxt->force_pwchange = 1;
+ }
+ #endif
++
++#ifdef HAVE_INTERIX
++ result = (!setuser(pw->pw_name, password, SU_CHECK));
++#else
+ result = sys_auth_passwd(authctxt, password);
++#endif
+ if (authctxt->force_pwchange)
+ disable_forwarding();
+ return (result && ok);
diff --git a/openssh/patches/patch-auth-rhosts.c b/openssh/patches/patch-auth-rhosts.c
new file mode 100644
index 0000000..fef0606
--- /dev/null
+++ b/openssh/patches/patch-auth-rhosts.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-rhosts.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ auth-rhosts.c
+@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ * If not logging in as superuser, try /etc/hosts.equiv and
+ * shosts.equiv.
+ */
+- if (pw->pw_uid == 0)
++ if (pw->pw_uid == ROOTUID)
+ debug3("%s: root user, ignoring system hosts files", __func__);
+ else {
+ if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
+@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ return 0;
+ }
+ if (options.strict_modes &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Rhosts authentication refused for %.100s: "
+ "bad ownership or modes for home directory.", pw->pw_name);
+@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ * allowing access to their account by anyone.
+ */
+ if (options.strict_modes &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
+ pw->pw_name, buf);
diff --git a/openssh/patches/patch-auth.c b/openssh/patches/patch-auth.c
new file mode 100644
index 0000000..80ad49e
--- /dev/null
+++ b/openssh/patches/patch-auth.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+* Replace uid 0 with ROOTUID macro.
+* Use login_getpwclass() instead of login_getclass() so that the root
+ vs. default login class distinction is made correctly, from FrrrBSD's
+ ports.
+
+--- auth.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ auth.c
+@@ -424,7 +424,7 @@ check_key_in_hostfiles(struct passwd *pw
+ user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
+ if (options.strict_modes &&
+ (stat(user_hostfile, &st) == 0) &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Authentication refused for %.100s: "
+ "bad owner or modes for %.200s",
+@@ -653,7 +653,7 @@ getpwnamallow(const char *user)
+ if (!allowed_user(pw))
+ return (NULL);
+ #ifdef HAVE_LOGIN_CAP
+- if ((lc = login_getclass(pw->pw_class)) == NULL) {
++ if ((lc = login_getpwclass(pw)) == NULL) {
+ debug("unable to get login class: %s", user);
+ return (NULL);
+ }
diff --git a/openssh/patches/patch-auth1.c b/openssh/patches/patch-auth1.c
new file mode 100644
index 0000000..011c4bb
--- /dev/null
+++ b/openssh/patches/patch-auth1.c
@@ -0,0 +1,26 @@
+$NetBSD: patch-auth1.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth1.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ auth1.c
+@@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt)
+
+ #ifndef HAVE_CYGWIN
+ /* Special handling for root */
+- if (authenticated && authctxt->pw->pw_uid == 0 &&
++ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
+ !auth_root_allowed(meth->name)) {
+ authenticated = 0;
+ # ifdef SSH_AUDIT_EVENTS
+@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt)
+ * If we are not running as root, the user must have the same uid as
+ * the server.
+ */
+-#ifndef HAVE_CYGWIN
+- if (!use_privsep && getuid() != 0 && authctxt->pw &&
++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
++ if (!use_privsep && getuid() != ROOTUID && authctxt->pw &&
+ authctxt->pw->pw_uid != getuid())
+ packet_disconnect("Cannot change user when server not running as root.");
+ #endif
diff --git a/openssh/patches/patch-auth2.c b/openssh/patches/patch-auth2.c
new file mode 100644
index 0000000..f9b6acf
--- /dev/null
+++ b/openssh/patches/patch-auth2.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-auth2.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth2.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ auth2.c
+@@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int
+ fatal("INTERNAL ERROR: authenticated and postponed");
+
+ /* Special handling for root */
+- if (authenticated && authctxt->pw->pw_uid == 0 &&
++ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
+ !auth_root_allowed(method)) {
+ authenticated = 0;
+ #ifdef SSH_AUDIT_EVENTS
diff --git a/openssh/patches/patch-channels.c b/openssh/patches/patch-channels.c
new file mode 100644
index 0000000..1c13d60
--- /dev/null
+++ b/openssh/patches/patch-channels.c
@@ -0,0 +1,51 @@
+$NetBSD: patch-channels.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
+
+https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
+
+--- channels.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ channels.c
+@@ -4037,15 +4037,35 @@ x11_connect_display(void)
+ * connection to the real X server.
+ */
+
+- /* Check if the display is from launchd. */
+ #ifdef __APPLE__
+- if (strncmp(display, "/tmp/launch", 11) == 0) {
+- sock = connect_local_xsocket_path(display);
+- if (sock < 0)
+- return -1;
++ /* Check if the display is a path to a socket (as set by launchd). */
++ {
++ char path[PATH_MAX];
++ struct stat sbuf;
++ int is_path_to_socket = 0;
++
++ strlcpy(path, display, sizeof(path));
++ if (0 == stat(path, &sbuf)) {
++ is_path_to_socket = 1;
++ } else {
++ char *dot = strrchr(path, '.');
++ if (dot) {
++ *dot = '\0';
++ /* screen = atoi(dot + 1); */
++ if (0 == stat(path, &sbuf)) {
++ is_path_to_socket=1;
++ }
++ }
++ }
+
+- /* OK, we now have a connection to the display. */
+- return sock;
++ if (is_path_to_socket) {
++ sock = connect_local_xsocket_path(path);
++ if (sock < 0)
++ return -1;
++
++ /* OK, we now have a connection to the display. */
++ return sock;
++ }
+ }
+ #endif
+ /*
diff --git a/openssh/patches/patch-clientloop.c b/openssh/patches/patch-clientloop.c
new file mode 100644
index 0000000..a093795
--- /dev/null
+++ b/openssh/patches/patch-clientloop.c
@@ -0,0 +1,63 @@
+$NetBSD: patch-clientloop.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
+
+https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
+
+--- clientloop.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ clientloop.c
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
+ struct stat st;
+ u_int now, x11_timeout_real;
+
++#if __APPLE__
++ int is_path_to_socket = 0;
++#endif /* __APPLE__ */
++
+ xauthdir = xauthfile = NULL;
+ *_proto = proto;
+ *_data = data;
+@@ -330,6 +334,33 @@ client_x11_get_proto(const char *display
+ debug("x11_get_proto: DISPLAY not set");
+ return;
+ }
++#if __APPLE__
++ {
++ /*
++ * If using launchd socket, remove the screen number from the end
++ * of $DISPLAY. is_path_to_socket is used later in this function
++ * to determine if an error should be displayed.
++ */
++ char path[PATH_MAX];
++ struct stat sbuf;
++
++ strlcpy(path, display, sizeof(path));
++ if (0 == stat(path, &sbuf)) {
++ is_path_to_socket = 1;
++ } else {
++ char *dot = strrchr(path, '.');
++ if (dot) {
++ *dot = '\0';
++ /* screen = atoi(dot + 1); */
++ if (0 == stat(path, &sbuf)) {
++ is_path_to_socket = 1;
++ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
++ setenv("DISPLAY", path, 1);
++ }
++ }
++ }
++ }
++#endif /* __APPLE__ */
+ /*
+ * Handle FamilyLocal case where $DISPLAY does
+ * not match an authorization entry. For this we
+@@ -421,6 +452,9 @@ client_x11_get_proto(const char *display
+ if (!got_data) {
+ u_int32_t rnd = 0;
+
++#if __APPLE__
++ if (!is_path_to_socket)
++#endif /* __APPLE__ */
+ logit("Warning: No xauth data; "
+ "using fake authentication data for X11 forwarding.");
+ strlcpy(proto, SSH_X11_PROTO, sizeof proto);
diff --git a/openssh/patches/patch-config.h.in b/openssh/patches/patch-config.h.in
new file mode 100644
index 0000000..4253ab9
--- /dev/null
+++ b/openssh/patches/patch-config.h.in
@@ -0,0 +1,37 @@
+$NetBSD: patch-config.h.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+* Added Interix and define new path to if_tun.h.
+* Revive tcp_wrappers support.
+
+--- config.h.in.orig 2015-08-21 05:09:20.000000000 +0000
++++ config.h.in
+@@ -640,6 +640,9 @@
+ /* define if you have int64_t data type */
+ #undef HAVE_INT64_T
+
++/* Define if you are on Interix */
++#undef HAVE_INTERIX
++
+ /* Define to 1 if the system has the type `intmax_t'. */
+ #undef HAVE_INTMAX_T
+
+@@ -799,6 +802,9 @@
+ /* Define to 1 if you have the <net/if_tun.h> header file. */
+ #undef HAVE_NET_IF_TUN_H
+
++/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
++#undef HAVE_NET_TUN_IF_TUN_H
++
+ /* Define if you are on NeXT */
+ #undef HAVE_NEXT
+
+@@ -1394,6 +1400,9 @@
+ /* Define if pututxline updates lastlog too */
+ #undef LASTLOG_WRITE_PUTUTXLINE
+
++/* Define if you want TCP Wrappers support */
++#undef LIBWRAP
++
+ /* Define to whatever link() returns for "not supported" if it doesn't return
+ EOPNOTSUPP. */
+ #undef LINK_OPNOTSUPP_ERRNO
diff --git a/openssh/patches/patch-configure.ac b/openssh/patches/patch-configure.ac
new file mode 100644
index 0000000..790ef5a
--- /dev/null
+++ b/openssh/patches/patch-configure.ac
@@ -0,0 +1,141 @@
+$NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+* Various fixes regarding portability
+* Revive tcp_wrappers support.
+
+--- configure.ac.orig 2015-08-21 04:49:03.000000000 +0000
++++ configure.ac
+@@ -316,6 +316,9 @@ AC_ARG_WITH([rpath],
+ ]
+ )
+
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ AC_ARG_WITH([cflags],
+ [ --with-cflags Specify additional flags to pass to compiler],
+@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
+ maillock.h \
+ ndir.h \
+ net/if_tun.h \
++ net/tun/if_tun.h \
+ netdb.h \
+ netgroup.h \
+ pam/pam_appl.h \
+@@ -696,6 +700,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+ ;;
+ esac
+ ;;
++*-*-interix*)
++ AC_DEFINE(HAVE_INTERIX)
++ AC_DEFINE(DISABLE_FD_PASSING)
++ AC_DEFINE(DISABLE_SHADOW)
++ AC_DEFINE(IP_TOS_IS_BROKEN)
++ AC_DEFINE(MISSING_HOWMANY)
++ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
++ AC_DEFINE(USE_PIPES)
++ ;;
+ *-*-irix5*)
+ PATH="$PATH:/usr/etc"
+ AC_DEFINE([BROKEN_INET_NTOA], [1],
+@@ -1424,6 +1437,62 @@ AC_ARG_WITH([skey],
+ ]
+ )
+
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++ saved_LIBS="$LIBS"
++ saved_LDFLAGS="$LDFLAGS"
++ saved_CPPFLAGS="$CPPFLAGS"
++ if test -n "${withval}" && \
++ test "x${withval}" != "xyes"; then
++ if test -d "${withval}/lib"; then
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ else
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval} ${LDFLAGS}"
++ fi
++ fi
++ if test -d "${withval}/include"; then
++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++ else
++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
++ fi
++ fi
++ LIBS="-lwrap $LIBS"
++ AC_MSG_CHECKING([for libwrap])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++ ]], [[
++ hosts_access(0);
++ ]])], [
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([LIBWRAP], [1],
++ [Define if you want
++ TCP Wrappers support])
++ SSHDLIBS="$SSHDLIBS -lwrap"
++ TCPW_MSG="yes"
++ ], [
++ AC_MSG_ERROR([*** libwrap missing])
++
++ ])
++ LIBS="$saved_LIBS"
++ fi
++ ]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -4816,9 +4885,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ ])
+ if test -z "$conf_wtmpx_location"; then
+ if test x"$system_wtmpx_path" = x"no" ; then
+- AC_DEFINE([DISABLE_WTMPX])
++ for f in /var/log/wtmpx; do
++ if test -f $f ; then
++ conf_wtmpx_location=$f
++ fi
++ done
++ if test -z "$conf_wtmpx_location"; then
++ AC_DEFINE(DISABLE_WTMPX)
++ fi
+ fi
+-else
++fi
++if test -n "$conf_wtmpx_location"; then
+ AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
+ [Define if you want to specify the path to your wtmpx file])
+ fi
+@@ -4905,7 +4982,7 @@ echo "OpenSSH has been configured with t
+ echo " User binaries: $B"
+ echo " System binaries: $C"
+ echo " Configuration files: $D"
+-echo " Askpass program: $E"
++echo " Askpass program: ${ASKPASS_PROGRAM}"
+ echo " Manual pages: $F"
+ echo " PID file: $G"
+ echo " Privilege separation chroot path: $H"
+@@ -4929,6 +5006,7 @@ echo " KerberosV support
+ echo " SELinux support: $SELINUX_MSG"
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
++echo " TCP Wrappers support: $TCPW_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
diff --git a/openssh/patches/patch-defines.h b/openssh/patches/patch-defines.h
new file mode 100644
index 0000000..63788b3
--- /dev/null
+++ b/openssh/patches/patch-defines.h
@@ -0,0 +1,47 @@
+$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Define ROOTUID, UTMPX_FILE and WTMPX_FILE
+
+--- defines.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ defines.h
+@@ -30,6 +30,15 @@
+
+ /* Constants */
+
++#ifdef HAVE_INTERIX
++/* Interix has a special concept of "administrator". */
++# define ROOTUID 197108
++# define ROOTGID 131616
++#else
++# define ROOTUID 0
++# define ROOTGID 0
++#endif
++
+ #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
+ enum
+ {
+@@ -721,6 +730,24 @@ struct winsize {
+ # endif
+ # endif
+ #endif
++#ifndef UTMPX_FILE
++# ifdef _PATH_UTMPX
++# define UTMPX_FILE _PATH_UTMPX
++# else
++# ifdef CONF_UTMPX_FILE
++# define UTMPX_FILE CONF_UTMPX_FILE
++# endif
++# endif
++#endif
++#ifndef WTMPX_FILE
++# ifdef _PATH_WTMPX
++# define WTMPX_FILE _PATH_WTMPX
++# else
++# ifdef CONF_WTMPX_FILE
++# define WTMPX_FILE CONF_WTMPX_FILE
++# endif
++# endif
++#endif
+ /* pick up the user's location for lastlog if given */
+ #ifndef LASTLOG_FILE
+ # ifdef _PATH_LASTLOG
diff --git a/openssh/patches/patch-includes.h b/openssh/patches/patch-includes.h
new file mode 100644
index 0000000..5e54a9d
--- /dev/null
+++ b/openssh/patches/patch-includes.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- includes.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ includes.h
+@@ -127,6 +127,10 @@
+ #ifdef HAVE_READPASSPHRASE_H
+ # include <readpassphrase.h>
+ #endif
++#ifdef HAVE_INTERIX
++# include <interix/env.h>
++# include <interix/security.h>
++#endif
+
+ #ifdef HAVE_IA_H
+ # include <ia.h>
diff --git a/openssh/patches/patch-loginrec.c b/openssh/patches/patch-loginrec.c
new file mode 100644
index 0000000..fa56d5a
--- /dev/null
+++ b/openssh/patches/patch-loginrec.c
@@ -0,0 +1,68 @@
+$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support and related fixes. Fix build on FreeBSD.
+
+--- loginrec.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ loginrec.c
+@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
+ int
+ login_write(struct logininfo *li)
+ {
+-#ifndef HAVE_CYGWIN
+- if (geteuid() != 0) {
++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
++ if (geteuid() != ROOTUID) {
+ logit("Attempt to write login records by non-root user (aborting)");
+ return (1);
+ }
+@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
+
+ /* set the timestamp */
+ login_set_current_time(li);
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && (HAVE_UTMP_H)
+ syslogin_write_entry(li);
+ #endif
+ #ifdef USE_LASTLOG
+@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
+ ** into account.
+ **/
+
+-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
++#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
+
+ /* build the utmp structure */
+ void
+@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
+ set_utmpx_time(li, utx);
+ utx->ut_pid = li->pid;
+
+- /* strncpy(): Don't necessarily want null termination */
+- strncpy(utx->ut_user, li->username,
+- MIN_SIZEOF(utx->ut_user, li->username));
+-
+ if (li->type == LTYPE_LOGOUT)
+ return;
+
+@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
+ * for logouts.
+ */
+
++ /* strncpy(): Don't necessarily want null termination */
++#if defined(__FreeBSD__)
++ strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
++#else
++ strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
++#endif
+ # ifdef HAVE_HOST_IN_UTMPX
+ strncpy(utx->ut_host, li->hostname,
+ MIN_SIZEOF(utx->ut_host, li->hostname));
+@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
+ ** Low-level libutil login() functions
+ **/
+
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
+ static int
+ syslogin_perform_login(struct logininfo *li)
+ {
diff --git a/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/openssh/patches/patch-openbsd-compat_bsd-openpty.c
new file mode 100644
index 0000000..05c46da
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_bsd-openpty.c
@@ -0,0 +1,26 @@
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- openbsd-compat/bsd-openpty.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ openbsd-compat/bsd-openpty.c
+@@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char
+ return (-1);
+ }
+
++#if !defined(HAVE_INTERIX)
+ /*
+ * Try to push the appropriate streams modules, as described
+ * in Solaris pts(7).
+ */
+ ioctl(*aslave, I_PUSH, "ptem");
+ ioctl(*aslave, I_PUSH, "ldterm");
+-# ifndef __hpux
++ # ifndef __hpux
+ ioctl(*aslave, I_PUSH, "ttcompat");
+-# endif /* __hpux */
++ # endif /* __hpux */
++#endif /* !HAVE_INTERIX */
+
+ return (0);
+
diff --git a/openssh/patches/patch-openbsd-compat_openbsd-compat.h b/openssh/patches/patch-openbsd-compat_openbsd-compat.h
new file mode 100644
index 0000000..771757f
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_openbsd-compat.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+strtoll() declaration
+
+--- openbsd-compat/openbsd-compat.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ openbsd-compat/openbsd-compat.h
+@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
+ int setenv(register const char *name, register const char *value, int rewrite);
+ #endif
+
++#ifndef HAVE_STRTOLL
++long long strtoll(const char *, char **, int);
++#endif
++
+ #ifndef HAVE_STRMODE
+ void strmode(int mode, char *p);
+ #endif
diff --git a/openssh/patches/patch-openbsd-compat_port-tun.c b/openssh/patches/patch-openbsd-compat_port-tun.c
new file mode 100644
index 0000000..7114086
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_port-tun.c
@@ -0,0 +1,40 @@
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+if_tun.h can be found in net/tun
+
+--- openbsd-compat/port-tun.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ openbsd-compat/port-tun.c
+@@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode)
+ #include <sys/socket.h>
+ #include <net/if.h>
+
++#ifdef HAVE_NET_TUN_IF_TUN_H
++#include <net/tun/if_tun.h>
++#endif
++
+ #ifdef HAVE_NET_IF_TUN_H
+ #include <net/if_tun.h>
+ #endif
+@@ -120,7 +124,10 @@ sys_tun_open(int tun, int mode)
+ {
+ struct ifreq ifr;
+ char name[100];
+- int fd = -1, sock, flag;
++ int fd = -1, sock;
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
++ int flag;
++#endif
+ const char *tunbase = "tun";
+
+ if (mode == SSH_TUNMODE_ETHERNET) {
+@@ -154,9 +161,9 @@ sys_tun_open(int tun, int mode)
+ return (-1);
+ }
+
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ /* Turn on tunnel headers */
+ flag = 1;
+-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ if (mode != SSH_TUNMODE_ETHERNET &&
+ ioctl(fd, TUNSIFHEAD, &flag) == -1) {
+ debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
diff --git a/openssh/patches/patch-packet.c b/openssh/patches/patch-packet.c
new file mode 100644
index 0000000..2c5f1a4
--- /dev/null
+++ b/openssh/patches/patch-packet.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-packet.c,v 1.1 2016/02/26 21:06:38 tez Exp $
+
+Fix for CVE-2016-1907
+from https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0
+
+
+--- packet.c.orig 2016-02-26 18:42:38.037291000 +0000
++++ packet.c
+@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u
+ logit("Bad packet length %u.", state->packlen);
+ if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
+ return r;
++ return SSH_ERR_CONN_CORRUPT;
+ }
+ sshbuf_reset(state->incoming_packet);
+ } else if (state->packlen == 0) {
diff --git a/openssh/patches/patch-platform.c b/openssh/patches/patch-platform.c
new file mode 100644
index 0000000..fe837c1
--- /dev/null
+++ b/openssh/patches/patch-platform.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- platform.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ platform.c
+@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
+ /* uid 0 is not special on Cygwin so always try */
+ return 1;
+ #else
++#if !defined(HAVE_INTERIX)
+ return (getuid() == 0 || geteuid() == 0);
++#endif /* !HAVE_INTERIX */
+ #endif
+ }
+
diff --git a/openssh/patches/patch-readconf.c b/openssh/patches/patch-readconf.c
new file mode 100644
index 0000000..79e5a01
--- /dev/null
+++ b/openssh/patches/patch-readconf.c
@@ -0,0 +1,25 @@
+$NetBSD: patch-readconf.c,v 1.1 2016/01/18 12:53:26 jperkin Exp $
+
+Disable roaming.
+
+--- readconf.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ readconf.c
+@@ -1660,7 +1660,7 @@ initialize_options(Options * options)
+ options->tun_remote = -1;
+ options->local_command = NULL;
+ options->permit_local_command = -1;
+- options->use_roaming = -1;
++ options->use_roaming = 0;
+ options->visual_host_key = -1;
+ options->ip_qos_interactive = -1;
+ options->ip_qos_bulk = -1;
+@@ -1833,8 +1833,7 @@ fill_default_options(Options * options)
+ options->tun_remote = SSH_TUNID_ANY;
+ if (options->permit_local_command == -1)
+ options->permit_local_command = 0;
+- if (options->use_roaming == -1)
+- options->use_roaming = 1;
++ options->use_roaming = 0;
+ if (options->visual_host_key == -1)
+ options->visual_host_key = 0;
+ if (options->ip_qos_interactive == -1)
diff --git a/openssh/patches/patch-sandbox-darwin.c b/openssh/patches/patch-sandbox-darwin.c
new file mode 100644
index 0000000..b6624a0
--- /dev/null
+++ b/openssh/patches/patch-sandbox-darwin.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+Support sandbox on newer OSX, from MacPorts.
+
+--- sandbox-darwin.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ sandbox-darwin.c
+@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+ struct rlimit rl_zero;
+
+ debug3("%s: starting Darwin sandbox", __func__);
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++#ifndef SANDBOX_NAMED_EXTERNAL
++#define SANDBOX_NAMED_EXTERNAL (0x3)
++#endif
++ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
++ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
++#else
+ if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
+ &errmsg) == -1)
++#endif
+ fatal("%s: sandbox_init: %s", __func__, errmsg);
+
+ /*
diff --git a/openssh/patches/patch-scp.c b/openssh/patches/patch-scp.c
new file mode 100644
index 0000000..415ddfb
--- /dev/null
+++ b/openssh/patches/patch-scp.c
@@ -0,0 +1,39 @@
+$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- scp.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ scp.c
+@@ -478,7 +478,11 @@ main(int argc, char **argv)
+ argc -= optind;
+ argv += optind;
+
++#ifdef HAVE_INTERIX
++ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
++#else
+ if ((pwd = getpwuid(userid = getuid())) == NULL)
++#endif
+ fatal("unknown user %u", (u_int) userid);
+
+ if (!isatty(STDOUT_FILENO))
+@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
+ return;
+ }
+ while ((dp = readdir(dirp)) != NULL) {
++#ifndef HAVE_INTERIX
+ if (dp->d_ino == 0)
+ continue;
++#endif
+ if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+ continue;
+ if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
+@@ -1297,7 +1303,9 @@ okname(char *cp0)
+ case '\'':
+ case '"':
+ case '`':
++#ifndef HAVE_INTERIX
+ case ' ':
++#endif
+ case '#':
+ goto bad;
+ default:
diff --git a/openssh/patches/patch-session.c b/openssh/patches/patch-session.c
new file mode 100644
index 0000000..6a4285c
--- /dev/null
+++ b/openssh/patches/patch-session.c
@@ -0,0 +1,66 @@
+$NetBSD: patch-session.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- session.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ session.c
+@@ -1093,7 +1093,7 @@ read_etc_default_login(char ***env, u_in
+ if (tmpenv == NULL)
+ return;
+
+- if (uid == 0)
++ if (uid == ROOTUID)
+ var = child_get_env(tmpenv, "SUPATH");
+ else
+ var = child_get_env(tmpenv, "PATH");
+@@ -1202,7 +1202,7 @@ do_setup_env(Session *s, const char *she
+ # endif /* HAVE_ETC_DEFAULT_LOGIN */
+ if (path == NULL || *path == '\0') {
+ child_set_env(&env, &envsize, "PATH",
+- s->pw->pw_uid == 0 ?
++ s->pw->pw_uid == ROOTUID ?
+ SUPERUSER_PATH : _PATH_STDPATH);
+ }
+ # endif /* HAVE_CYGWIN */
+@@ -1316,6 +1316,18 @@ do_setup_env(Session *s, const char *she
+ strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
+ read_environment_file(&env, &envsize, buf);
+ }
++
++#ifdef HAVE_INTERIX
++ {
++ /* copy standard Windows environment, then apply changes */
++ env_t *winenv = env_login(pw);
++ env_putarray(winenv, env, ENV_OVERRIDE);
++
++ /* swap over to altered environment as a traditional array */
++ env = env_array(winenv);
++ }
++#endif
++
+ if (debug_flag) {
+ /* dump the environment */
+ fprintf(stderr, "Environment:\n");
+@@ -1510,11 +1522,13 @@ do_setusercontext(struct passwd *pw)
+ perror("setgid");
+ exit(1);
+ }
++# if !defined(HAVE_INTERIX)
+ /* Initialize the group list. */
+ if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
+ perror("initgroups");
+ exit(1);
+ }
++# endif /* !HAVE_INTERIX */
+ endgrent();
+ #endif
+
+@@ -2356,7 +2370,7 @@ session_pty_cleanup2(Session *s)
+ record_logout(s->pid, s->tty, s->pw->pw_name);
+
+ /* Release the pseudo-tty. */
+- if (getuid() == 0)
++ if (getuid() == ROOTUID)
+ pty_release(s->tty);
+
+ /*
diff --git a/openssh/patches/patch-sftp-common.c b/openssh/patches/patch-sftp-common.c
new file mode 100644
index 0000000..4bf2960
--- /dev/null
+++ b/openssh/patches/patch-sftp-common.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-sftp-common.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Include <unistd.h> for strmode(3).
+
+--- sftp-common.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ sftp-common.c
+@@ -37,6 +37,9 @@
+ #include <string.h>
+ #include <time.h>
+ #include <stdarg.h>
++#ifdef HAVE_UNISTD_H
++#include <unistd.h>
++#endif
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
diff --git a/openssh/patches/patch-ssh.c b/openssh/patches/patch-ssh.c
new file mode 100644
index 0000000..32c1235
--- /dev/null
+++ b/openssh/patches/patch-ssh.c
@@ -0,0 +1,26 @@
+$NetBSD: patch-ssh.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+Disable roaming
+
+--- ssh.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ ssh.c
+@@ -1084,7 +1084,7 @@ main(int ac, char **av)
+ "disabling");
+ options.update_hostkeys = 0;
+ }
+-#ifndef HAVE_CYGWIN
++#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX)
+ if (original_effective_uid != 0)
+ options.use_privileged_port = 0;
+ #endif
+@@ -1932,9 +1932,6 @@ ssh_session2(void)
+ fork_postauth();
+ }
+
+- if (options.use_roaming)
+- request_roaming();
+-
+ return client_loop(tty_flag, tty_flag ?
+ options.escape_char : SSH_ESCAPECHAR_NONE, id);
+ }
diff --git a/openssh/patches/patch-sshd.8 b/openssh/patches/patch-sshd.8
new file mode 100644
index 0000000..085accf
--- /dev/null
+++ b/openssh/patches/patch-sshd.8
@@ -0,0 +1,27 @@
+$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+* Revive tcp_wrappers support.
+
+--- sshd.8.orig 2015-08-21 04:49:03.000000000 +0000
++++ sshd.8
+@@ -850,6 +850,12 @@ the user's home directory becomes access
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -953,6 +959,7 @@ The content of this file is not sensitiv
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/openssh/patches/patch-sshd.c b/openssh/patches/patch-sshd.c
new file mode 100644
index 0000000..36b0419
--- /dev/null
+++ b/openssh/patches/patch-sshd.c
@@ -0,0 +1,136 @@
+$NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
+
+* Interix support
+* Revive tcp_wrappers support.
+
+--- sshd.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ sshd.c
+@@ -126,6 +126,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ #ifndef O_NOCTTY
+ #define O_NOCTTY 0
+ #endif
+@@ -237,7 +244,11 @@ int *startup_pipes = NULL;
+ int startup_pipe; /* in child */
+
+ /* variables used for privilege separation */
++#ifdef HAVE_INTERIX
++int use_privsep = 0;
++#else
+ int use_privsep = -1;
++#endif
+ struct monitor *pmonitor = NULL;
+ int privsep_is_preauth = 1;
+
+@@ -644,10 +655,15 @@ privsep_preauth_child(void)
+ /* XXX not ready, too heavy after chroot */
+ do_setusercontext(privsep_pw);
+ #else
++#ifdef HAVE_INTERIX
++ if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
++ fatal("setuser: %.100s", strerror(errno));
++#else
+ gidset[0] = privsep_pw->pw_gid;
+ if (setgroups(1, gidset) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
+ permanently_set_uid(privsep_pw);
++#endif /* HAVE_INTERIX */
+ #endif
+ }
+
+@@ -715,11 +731,18 @@ privsep_preauth(Authctxt *authctxt)
+ set_log_handler(mm_log_handler, pmonitor);
+
+ /* Demote the child */
+- if (getuid() == 0 || geteuid() == 0)
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++ /* We need to do this before we chroot() so we can read sshd.sb */
++ if (box != NULL)
++ ssh_sandbox_child(box);
++#endif
++ if (getuid() == ROOTUID || geteuid() == ROOTUID)
+ privsep_preauth_child();
+ setproctitle("%s", "[net]");
++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ if (box != NULL)
+ ssh_sandbox_child(box);
++#endif
+
+ return 0;
+ }
+@@ -733,7 +756,7 @@ privsep_postauth(Authctxt *authctxt)
+ #ifdef DISABLE_FD_PASSING
+ if (1) {
+ #else
+- if (authctxt->pw->pw_uid == 0 || options.use_login) {
++ if (authctxt->pw->pw_uid == ROOTUID || options.use_login) {
+ #endif
+ /* File descriptor passing is broken or root login */
+ use_privsep = 0;
+@@ -1489,8 +1512,10 @@ main(int ac, char **av)
+ av = saved_argv;
+ #endif
+
+- if (geteuid() == 0 && setgroups(0, NULL) == -1)
++#ifndef HAVE_INTERIX
++ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
+ debug("setgroups(): %.200s", strerror(errno));
++#endif
+
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+@@ -1919,7 +1944,7 @@ main(int ac, char **av)
+ (st.st_uid != getuid () ||
+ (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+ #else
+- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
++ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+ #endif
+ fatal("%s must be owned by root and not group or "
+ "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
+@@ -1942,8 +1967,10 @@ main(int ac, char **av)
+ * to create a file, and we can't control the code in every
+ * module which might be used).
+ */
++#ifndef HAVE_INTERIX
+ if (setgroups(0, NULL) < 0)
+ debug("setgroups() failed: %.200s", strerror(errno));
++#endif
+
+ if (rexec_flag) {
+ rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
+@@ -2139,6 +2166,25 @@ main(int ac, char **av)
+ audit_connection_from(remote_ip, remote_port);
+ #endif
+
++#ifdef LIBWRAP
++ allow_severity = options.log_facility|LOG_INFO;
++ deny_severity = options.log_facility|LOG_WARNING;
++ /* Check whether logins are denied from this host. */
++ if (packet_connection_is_on_socket()) {
++ struct request_info req;
++
++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++ fromhost(&req);
++
++ if (!hosts_access(&req)) {
++ debug("Connection refused by tcp wrapper");
++ refuse(&req);
++ /* NOTREACHED */
++ fatal("libwrap refuse returns");
++ }
++ }
++#endif /* LIBWRAP */
++
+ /* Log the connection. */
+ laddr = get_local_ipaddr(sock_in);
+ verbose("Connection from %s port %d on %s port %d",
diff --git a/openssh/patches/patch-sshpty.c b/openssh/patches/patch-sshpty.c
new file mode 100644
index 0000000..c96ba18
--- /dev/null
+++ b/openssh/patches/patch-sshpty.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- sshpty.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ sshpty.c
+@@ -86,7 +86,7 @@ void
+ pty_release(const char *tty)
+ {
+ #if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
+- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
++ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
+ error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
+ if (chmod(tty, (mode_t) 0666) < 0)
+ error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
+@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
+ if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+ if (chown(tty, pw->pw_uid, gid) < 0) {
+ if (errno == EROFS &&
+- (st.st_uid == pw->pw_uid || st.st_uid == 0))
++ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
+ debug("chown(%.100s, %u, %u) failed: %.100s",
+ tty, (u_int)pw->pw_uid, (u_int)gid,
+ strerror(errno));
diff --git a/openssh/patches/patch-uidswap.c b/openssh/patches/patch-uidswap.c
new file mode 100644
index 0000000..3b623b8
--- /dev/null
+++ b/openssh/patches/patch-uidswap.c
@@ -0,0 +1,76 @@
+$NetBSD: patch-uidswap.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- uidswap.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ uidswap.c
+@@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw)
+ (u_int)pw->pw_uid, (u_int)pw->pw_gid,
+ (u_int)saved_euid, (u_int)saved_egid);
+ #ifndef HAVE_CYGWIN
+- if (saved_euid != 0) {
++ if (saved_euid != ROOTUID) {
+ privileged = 0;
+ return;
+ }
+ #endif
+ #else
+- if (geteuid() != 0) {
++ if (geteuid() != ROOTUID) {
+ privileged = 0;
+ return;
+ }
+@@ -96,9 +96,11 @@ temporarily_use_uid(struct passwd *pw)
+
+ /* set and save the user's groups */
+ if (user_groupslen == -1) {
++#ifndef HAVE_INTERIX
+ if (initgroups(pw->pw_name, pw->pw_gid) < 0)
+ fatal("initgroups: %s: %.100s", pw->pw_name,
+ strerror(errno));
++#endif
+
+ user_groupslen = getgroups(0, NULL);
+ if (user_groupslen < 0)
+@@ -112,9 +114,11 @@ temporarily_use_uid(struct passwd *pw)
+ free(user_groups);
+ }
+ }
++#ifndef HAVE_INTERIX
+ /* Set the effective uid to the given (unprivileged) uid. */
+ if (setgroups(user_groupslen, user_groups) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
++#endif
+ #ifndef SAVED_IDS_WORK_WITH_SETEUID
+ /* Propagate the privileged gid to all of our gids. */
+ if (setgid(getegid()) < 0)
+@@ -187,8 +191,10 @@ restore_uid(void)
+ setgid(getgid());
+ #endif /* SAVED_IDS_WORK_WITH_SETEUID */
+
++#ifndef HAVE_INTERIX
+ if (setgroups(saved_egroupslen, saved_egroups) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
++#endif
+ temporarily_use_uid_effective = 0;
+ }
+
+@@ -211,6 +217,10 @@ permanently_set_uid(struct passwd *pw)
+ debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
+ (u_int)pw->pw_gid);
+
++#if defined(HAVE_INTERIX)
++ if (setuser(pw->pw_name, NULL, SU_COMPLETE))
++ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
++#else
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
+ fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+
+@@ -247,6 +257,7 @@ permanently_set_uid(struct passwd *pw)
+ (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+ fatal("%s: was able to restore old [e]uid", __func__);
+ #endif
++#endif /* HAVE_INTERIX */
+
+ /* Verify UID drop was successful */
+ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
Home |
Main Index |
Thread Index |
Old Index