pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
openssh8: copy of security/openssh updated to 8.0p1.
Module Name: pkgsrc-wip
Committed By: Aleksej Lebedev <root%zta.lk@localhost>
Pushed By: zhtw
Date: Wed May 1 13:37:37 2019 +0000
Changeset: 4f800ff6286f83357b89ae964ca05f0f9c652f09
Added Files:
openssh/DESCR
openssh/INSTALL
openssh/MESSAGE.Interix
openssh/MESSAGE.pam
openssh/Makefile
openssh/PLIST
openssh/distinfo
openssh/files/org.openssh.sshd.sb.in
openssh/files/smf/manifest.xml
openssh/files/smf/sshd.sh
openssh/files/sshd.sh
openssh/options.mk
openssh/patches/patch-Makefile.in
openssh/patches/patch-auth-passwd.c
openssh/patches/patch-auth-rhosts.c
openssh/patches/patch-auth.c
openssh/patches/patch-auth2.c
openssh/patches/patch-clientloop.c
openssh/patches/patch-config.h.in
openssh/patches/patch-configure.ac
openssh/patches/patch-defines.h
openssh/patches/patch-includes.h
openssh/patches/patch-loginrec.c
openssh/patches/patch-openbsd-compat_bsd-openpty.c
openssh/patches/patch-openbsd-compat_openbsd-compat.h
openssh/patches/patch-openbsd-compat_port-tun.c
openssh/patches/patch-platform.c
openssh/patches/patch-sandbox-darwin.c
openssh/patches/patch-scp.c
openssh/patches/patch-session.c
openssh/patches/patch-sftp-common.c
openssh/patches/patch-sshd.8
openssh/patches/patch-sshd.c
openssh/patches/patch-sshpty.c
openssh/patches/patch-uidswap.c
openssh/t
openssh8/DESCR
openssh8/INSTALL
openssh8/MESSAGE.Interix
openssh8/MESSAGE.pam
openssh8/Makefile
openssh8/PLIST
openssh8/distinfo
openssh8/files/org.openssh.sshd.sb.in
openssh8/files/smf/manifest.xml
openssh8/files/smf/sshd.sh
openssh8/files/sshd.sh
openssh8/options.mk
openssh8/patches/patch-Makefile.in
openssh8/patches/patch-auth-passwd.c
openssh8/patches/patch-auth-rhosts.c
openssh8/patches/patch-auth.c
openssh8/patches/patch-auth2.c
openssh8/patches/patch-clientloop.c
openssh8/patches/patch-config.h.in
openssh8/patches/patch-configure.ac
openssh8/patches/patch-defines.h
openssh8/patches/patch-includes.h
openssh8/patches/patch-loginrec.c
openssh8/patches/patch-openbsd-compat_bsd-openpty.c
openssh8/patches/patch-openbsd-compat_openbsd-compat.h
openssh8/patches/patch-openbsd-compat_port-tun.c
openssh8/patches/patch-platform.c
openssh8/patches/patch-sandbox-darwin.c
openssh8/patches/patch-scp.c
openssh8/patches/patch-session.c
openssh8/patches/patch-sftp-common.c
openssh8/patches/patch-sshd.8
openssh8/patches/patch-sshd.c
openssh8/patches/patch-sshpty.c
openssh8/patches/patch-uidswap.c
Log Message:
openssh8: copy of security/openssh updated to 8.0p1.
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=4f800ff6286f83357b89ae964ca05f0f9c652f09
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
openssh/DESCR | 14 ++
openssh/INSTALL | 36 ++++
openssh/MESSAGE.Interix | 20 ++
openssh/MESSAGE.pam | 9 +
openssh/Makefile | 209 +++++++++++++++++++++
openssh/PLIST | 31 +++
openssh/distinfo | 29 +++
openssh/files/org.openssh.sshd.sb.in | 23 +++
openssh/files/smf/manifest.xml | 46 +++++
openssh/files/smf/sshd.sh | 68 +++++++
openssh/files/sshd.sh | 115 ++++++++++++
openssh/options.mk | 51 +++++
openssh/patches/patch-Makefile.in | 31 +++
openssh/patches/patch-auth-passwd.c | 27 +++
openssh/patches/patch-auth-rhosts.c | 33 ++++
openssh/patches/patch-auth.c | 27 +++
openssh/patches/patch-auth2.c | 15 ++
openssh/patches/patch-clientloop.c | 63 +++++++
openssh/patches/patch-config.h.in | 37 ++++
openssh/patches/patch-configure.ac | 138 ++++++++++++++
openssh/patches/patch-defines.h | 47 +++++
openssh/patches/patch-includes.h | 17 ++
openssh/patches/patch-loginrec.c | 68 +++++++
openssh/patches/patch-openbsd-compat_bsd-openpty.c | 22 +++
.../patches/patch-openbsd-compat_openbsd-compat.h | 17 ++
openssh/patches/patch-openbsd-compat_port-tun.c | 45 +++++
openssh/patches/patch-platform.c | 16 ++
openssh/patches/patch-sandbox-darwin.c | 23 +++
openssh/patches/patch-scp.c | 39 ++++
openssh/patches/patch-session.c | 65 +++++++
openssh/patches/patch-sftp-common.c | 14 ++
openssh/patches/patch-sshd.8 | 27 +++
openssh/patches/patch-sshd.c | 137 ++++++++++++++
openssh/patches/patch-sshpty.c | 24 +++
openssh/patches/patch-uidswap.c | 77 ++++++++
openssh/t | 136 ++++++++++++++
openssh8/DESCR | 14 ++
openssh8/INSTALL | 36 ++++
openssh8/MESSAGE.Interix | 20 ++
openssh8/MESSAGE.pam | 9 +
openssh8/Makefile | 209 +++++++++++++++++++++
openssh8/PLIST | 31 +++
openssh8/distinfo | 29 +++
openssh8/files/org.openssh.sshd.sb.in | 23 +++
openssh8/files/smf/manifest.xml | 46 +++++
openssh8/files/smf/sshd.sh | 68 +++++++
openssh8/files/sshd.sh | 115 ++++++++++++
openssh8/options.mk | 51 +++++
openssh8/patches/patch-Makefile.in | 31 +++
openssh8/patches/patch-auth-passwd.c | 27 +++
openssh8/patches/patch-auth-rhosts.c | 33 ++++
openssh8/patches/patch-auth.c | 27 +++
openssh8/patches/patch-auth2.c | 15 ++
openssh8/patches/patch-clientloop.c | 63 +++++++
openssh8/patches/patch-config.h.in | 37 ++++
openssh8/patches/patch-configure.ac | 138 ++++++++++++++
openssh8/patches/patch-defines.h | 47 +++++
openssh8/patches/patch-includes.h | 17 ++
openssh8/patches/patch-loginrec.c | 68 +++++++
.../patches/patch-openbsd-compat_bsd-openpty.c | 22 +++
.../patches/patch-openbsd-compat_openbsd-compat.h | 17 ++
openssh8/patches/patch-openbsd-compat_port-tun.c | 45 +++++
openssh8/patches/patch-platform.c | 16 ++
openssh8/patches/patch-sandbox-darwin.c | 23 +++
openssh8/patches/patch-scp.c | 39 ++++
openssh8/patches/patch-session.c | 65 +++++++
openssh8/patches/patch-sftp-common.c | 14 ++
openssh8/patches/patch-sshd.8 | 27 +++
openssh8/patches/patch-sshd.c | 137 ++++++++++++++
openssh8/patches/patch-sshpty.c | 24 +++
openssh8/patches/patch-uidswap.c | 77 ++++++++
71 files changed, 3456 insertions(+)
diffs:
diff --git a/openssh/DESCR b/openssh/DESCR
new file mode 100644
index 0000000000..764ae7f090
--- /dev/null
+++ b/openssh/DESCR
@@ -0,0 +1,14 @@
+OpenSSH is based on the last free version of Tatu Ylonen's SSH with
+all patent-encumbered algorithms removed (to external libraries), all
+known security bugs fixed, new features reintroduced and many other
+clean-ups. More information about SSH itself can be found in the file
+README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
+Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
+
+This port consists of the re-introduction of autoconf support, PAM
+support (for Linux and Solaris), EGD[1] support, SOCKS support (using
+the Dante [6] libraries and replacements for OpenBSD library functions
+that are (regrettably) absent from other unices. This port has been
+best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
+SCO, NeXT and other Unices is underway. This version actively tracks
+changes in the OpenBSD CVS repository.
diff --git a/openssh/INSTALL b/openssh/INSTALL
new file mode 100644
index 0000000000..8b8d1d310e
--- /dev/null
+++ b/openssh/INSTALL
@@ -0,0 +1,36 @@
+# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
+
+DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
+FILES="sshd.conf sshd_config"
+
+case ${STAGE} in
+POST-INSTALL)
+ for dir in $DIRS; do
+ if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
+ for file in $FILES; do
+ path=$dir/$file
+ if [ -f $path ]; then
+ ${CAT} <<EOF
+===========================================================================
+
+ *===* NOTICE *===*
+
+WARNING: previous configuration file $path found.
+
+The config files for ${PKGNAME} must be located in:
+
+ @PKG_SYSCONFDIR@
+
+You will need to ensure your configuration files and/or keys are
+placed in the correct directory before using ${PKGNAME}.
+
+===========================================================================
+EOF
+
+ exit
+ fi
+ done
+ fi
+ done
+ ;;
+esac
diff --git a/openssh/MESSAGE.Interix b/openssh/MESSAGE.Interix
new file mode 100644
index 0000000000..ee57d65d24
--- /dev/null
+++ b/openssh/MESSAGE.Interix
@@ -0,0 +1,20 @@
+===========================================================================
+$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
+
+OpenSSH on Interix has some important caveats:
+
+* Hostname resolution uses the BIND resolver library rather than Windows
+ native lookup services. This requires that /etc/resolv.conf be set up
+ properly with a "nameserver" line; see resolv.conf(5). In most
+ installations, this was generated automatically when Services for UNIX
+ was installed (based on the name server in use at that time).
+
+* Currently, UsePrivilegeSeparation does not work properly, so it defaults
+ to "no" on Interix.
+
+* Network drives and encrypted local files may not be accessible after
+ logging in through sshd thanks to the way the Windows security API works.
+ A workaround is to "exec su USERNAME" after logging in, which will use
+ the password to create a proper Windows access credential key.
+
+===========================================================================
diff --git a/openssh/MESSAGE.pam b/openssh/MESSAGE.pam
new file mode 100644
index 0000000000..e111287144
--- /dev/null
+++ b/openssh/MESSAGE.pam
@@ -0,0 +1,9 @@
+===========================================================================
+$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
+
+To authenticate for SSH using PAM, add the contents of the file:
+
+ ${EGDIR}/sshd.pam
+
+to your PAM configuration file (or PAM configuration directory).
+===========================================================================
diff --git a/openssh/Makefile b/openssh/Makefile
new file mode 100644
index 0000000000..0f497cfb75
--- /dev/null
+++ b/openssh/Makefile
@@ -0,0 +1,209 @@
+# $NetBSD: Makefile,v 1.258 2019/04/25 14:55:04 tron Exp $
+
+DISTNAME= openssh-8.0p1
+PKGNAME= ${DISTNAME:S/p1/.1/}
+PKGREVISION= 1
+CATEGORIES= security
+MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
+
+MAINTAINER= pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE= http://www.openssh.com/
+COMMENT= Open Source Secure shell client and server (remote login program)
+LICENSE= modified-bsd
+
+CONFLICTS= sftp-[0-9]*
+CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
+CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
+CONFLICTS+= openssh+gssapi-[0-9]*
+CONFLICTS+= lsh>2.0
+BROKEN_ON_PLATFORM+= OpenBSD-*-*
+
+USE_GCC_RUNTIME= yes
+USE_TOOLS+= autoconf perl
+
+# retain the following line, for IPv6-ready pkgsrc webpage
+BUILD_DEFS+= IPV6_READY
+
+PKG_GROUPS_VARS+= OPENSSH_GROUP
+PKG_USERS_VARS+= OPENSSH_USER
+BUILD_DEFS+= OPENSSH_CHROOT
+BUILD_DEFS+= VARBASE
+
+INSTALL_TARGET= install-nokeys
+
+.include "options.mk"
+
+# fixes: dyld: Symbol not found: _allow_severity
+CONFIGURE_ARGS.Darwin+= --disable-strip
+
+# OpenSSH on Interix has some important caveats
+.if ${OPSYS} == "Interix"
+MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
+CONFIGURE_ENV+= ac_cv_func_openpty=no
+CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
+CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
+. if exists(/usr/local/include/bind/resolv.h)
+CPPFLAGS+= -I/usr/local/include/bind
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
+. elif exists(/usr/local/bind/include/resolv.h)
+CPPFLAGS+= -I/usr/local/bind/include
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
+. endif
+LDFLAGS+= -L/usr/local/lib/bind
+LIBS+= -lbind -ldb -lcrypt
+
+.else # not Interix
+
+PKG_GROUPS= ${OPENSSH_GROUP}
+PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
+
+PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
+PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
+
+.endif
+
+SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
+
+PKG_SYSCONFSUBDIR= ssh
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --with-mantype=man
+CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR}
+CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
+
+.if ${OPSYS} != "Interix"
+CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
+CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER}
+.endif
+
+# pkgsrc already enforces a "secure" version of zlib via dependencies,
+# so skip this bogus version check.
+CONFIGURE_ARGS+= --without-zlib-version-check
+
+.if ${_PKGSRC_MKPIE} != "no"
+CONFIGURE_ARGS+= --with-pie
+.endif
+
+# the openssh configure script finds and uses ${LD} if defined and
+# defaults to ${CC} if not. we override LD here, since running the
+# linker directly results in undefined symbols for obvious reasons.
+#
+CONFIGURE_ENV+= LD=${CC:Q}
+
+# Enable S/Key support on NetBSD, Darwin, and Solaris.
+.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
+. include "../../security/skey/buildlink3.mk"
+CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
+.else
+CONFIGURE_ARGS+= --without-skey
+.endif
+
+.if (${OPSYS} == "NetBSD")
+. if exists(/usr/include/utmpx.h)
+# if we have utmpx et al do not try to use login()
+CONFIGURE_ARGS+= --disable-libutil
+. endif
+#
+# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
+# prior version don't have it. So, disable use of strnvis(3) now.
+#
+CONFIGURE_ENV+= ac_cv_func_strnvis=no
+#
+# workaround for ./configure problem, pkg/50936
+#
+CONFIGURE_ENV+= ac_cv_func_reallocarray=no
+.endif
+
+.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
+CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
+.endif
+
+CONFIGURE_ARGS.Linux+= --enable-md5-password
+
+# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
+# on if it's part of the X11 distribution, or if it's installed from pkgsrc
+# (security/ssh-askpass).
+#
+.if exists(${X11BASE}/bin/ssh-askpass)
+ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
+.else
+ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass
+.endif
+CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+
+# do the same for xauth
+.if exists(${X11BASE}/bin/xauth)
+CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
+.else
+CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth
+.endif
+
+CONFS= ssh_config sshd_config moduli
+
+PLIST_VARS+= darwin
+
+EGDIR= ${PREFIX}/share/examples/${PKGBASE}
+
+# enable privsep patches
+.if ${OPSYS} == "Darwin"
+CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
+CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__
+PLIST.darwin= yes
+.endif
+
+.for f in ${CONFS}
+CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
+.endfor
+OWN_DIRS= ${OPENSSH_CHROOT}
+RCD_SCRIPTS= sshd
+RCD_SCRIPT_SRC.sshd= ${WRKDIR}/sshd.sh
+SMF_METHODS= sshd
+
+FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR}
+
+SUBST_CLASSES+= patch
+SUBST_STAGE.patch= pre-configure
+SUBST_FILES.patch= session.c sandbox-darwin.c
+SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
+SUBST_VARS.patch= PKG_SYSCONFDIR
+
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../security/tcp_wrappers/buildlink3.mk"
+
+#
+# type of key "ecdsa" isn't always supported depends on OpenSSL.
+#
+pre-configure:
+ cd ${WRKSRC} && autoconf -i
+
+post-configure:
+ if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \
+ ${WRKSRC}/config.h; then \
+ ${SED} -e '/HAVE_ECDSA/s/.*//' \
+ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+ else \
+ ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
+ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+ fi
+ ${SED} -e 's,@VARBASE@,${VARBASE},g' \
+ < ${FILESDIR}/org.openssh.sshd.sb.in \
+ > ${WRKDIR}/org.openssh.sshd.sb
+
+post-install:
+ ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
+ cd ${WRKSRC}; for file in ${CONFS}; do \
+ ${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
+ done
+.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
+ ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
+ ${DESTDIR}${EGDIR}/sshd.pam
+.endif
+.if ${OPSYS} == "Darwin"
+ ${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
+ ${DESTDIR}${EGDIR}/org.openssh.sshd.sb
+.endif
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/openssh/PLIST b/openssh/PLIST
new file mode 100644
index 0000000000..1c18b8b3e9
--- /dev/null
+++ b/openssh/PLIST
@@ -0,0 +1,31 @@
+@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
+bin/scp
+bin/sftp
+bin/ssh
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-keygen
+bin/ssh-keyscan
+libexec/sftp-server
+libexec/ssh-keysign
+libexec/ssh-pkcs11-helper
+man/man1/scp.1
+man/man1/sftp.1
+man/man1/ssh-add.1
+man/man1/ssh-agent.1
+man/man1/ssh-keygen.1
+man/man1/ssh-keyscan.1
+man/man1/ssh.1
+man/man5/moduli.5
+man/man5/ssh_config.5
+man/man5/sshd_config.5
+man/man8/sftp-server.8
+man/man8/ssh-keysign.8
+man/man8/ssh-pkcs11-helper.8
+man/man8/sshd.8
+sbin/sshd
+share/examples/openssh/moduli
+${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
+share/examples/openssh/ssh_config
+${PLIST.pam}share/examples/openssh/sshd.pam
+share/examples/openssh/sshd_config
diff --git a/openssh/distinfo b/openssh/distinfo
new file mode 100644
index 0000000000..58f19de962
--- /dev/null
+++ b/openssh/distinfo
@@ -0,0 +1,29 @@
+$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
+
+SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
+RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
+SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
+Size (openssh-8.0p1.tar.gz) = 1597697 bytes
+SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
+SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
+SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
+SHA1 (patch-auth.c) = ec68a8a66b9838ba136f8181b93eb38f5b3d3249
+SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
+SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
+SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
+SHA1 (patch-configure.ac) = 4500549c9b85eb5502101f1043ccb85154df04b7
+SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
+SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
+SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
+SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
+SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
+SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
+SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
+SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
+SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
+SHA1 (patch-sftp-common.c) = bd3c726c056116da7673fb4649e5e7afa9db9ec3
+SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
+SHA1 (patch-sshd.c) = 4dfe5ff525617d5d3743672f14811213eb5b6635
+SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
+SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4
diff --git a/openssh/files/org.openssh.sshd.sb.in b/openssh/files/org.openssh.sshd.sb.in
new file mode 100644
index 0000000000..e060377c92
--- /dev/null
+++ b/openssh/files/org.openssh.sshd.sb.in
@@ -0,0 +1,23 @@
+;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
+;;
+;; Copyright (c) 2008 Apple Inc. All Rights reserved.
+;;
+;; sshd - profile for privilege separated children
+;;
+;; WARNING: The sandbox rules in this file currently constitute
+;; Apple System Private Interface and are subject to change at any time and
+;; without notice.
+;;
+
+(version 1)
+
+(deny default)
+
+(allow file-chroot)
+(allow file-read-metadata (literal "@VARBASE@"))
+
+(allow sysctl-read)
+(allow mach-per-user-lookup)
+(allow mach-lookup
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.system.logger"))
diff --git a/openssh/files/smf/manifest.xml b/openssh/files/smf/manifest.xml
new file mode 100644
index 0000000000..71e9800b9b
--- /dev/null
+++ b/openssh/files/smf/manifest.xml
@@ -0,0 +1,46 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+ <service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
+ <create_default_instance enabled='false'/>
+ <single_instance/>
+ <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/filesystem/local'/>
+ </dependency>
+ <dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/network/loopback'/>
+ </dependency>
+ <dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/network/physical'/>
+ </dependency>
+ <dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/cryptosvc'/>
+ </dependency>
+ <dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/utmp'/>
+ </dependency>
+ <dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
+ <service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
+ </dependency>
+ <dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
+ <service_fmri value='svc:/milestone/multi-user-server'/>
+ </dependent>
+ <exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
+ <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+ <exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
+ <property_group name='general' type='framework'>
+ <property name='action_authorization' type='astring'/>
+ </property_group>
+ <property_group name='startd' type='framework'>
+ <propval name='ignore_error' type='astring' value='core,signal'/>
+ </property_group>
+ <template>
+ <common_name>
+ <loctext xml:lang='C'>OpenSSH server</loctext>
+ </common_name>
+ <documentation>
+ <manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
+ </documentation>
+ </template>
+ </service>
+</service_bundle>
diff --git a/openssh/files/smf/sshd.sh b/openssh/files/smf/sshd.sh
new file mode 100644
index 0000000000..0ab48193b1
--- /dev/null
+++ b/openssh/files/smf/sshd.sh
@@ -0,0 +1,68 @@
+#!@SMF_METHOD_SHELL@
+#
+# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+# Use is subject to license terms.
+#
+# ident "@(#)sshd 1.4 04/11/17 SMI"
+
+SSHDIR=@PKG_SYSCONFDIR@
+KEYGEN="@PREFIX@/bin/ssh-keygen -q"
+PIDFILE=@VARBASE@/run/sshd.pid
+
+# Checks to see if RSA, and DSA host keys are available
+# if any of these keys are not present, the respective keys are created.
+create_key()
+{
+ keypath=$1
+ keytype=$2
+
+ if [ ! -f $keypath ]; then
+ grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo Creating new $keytype public/private host key pair
+ $KEYGEN -f $keypath -t $keytype -N ''
+ return $?
+ fi
+ fi
+
+ return 0
+}
+
+# This script is being used for two purposes: as part of an SMF
+# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
+# application.
+#
+# Both, the SMF methods and sysidconfig/sys-unconfig use different
+# arguments..
+
+case $1 in
+ # sysidconfig/sys-unconfig arguments (-c and -u)
+'-c')
+ create_key $SSHDIR/ssh_host_rsa_key rsa
+ create_key $SSHDIR/ssh_host_dsa_key dsa
+ ;;
+
+'-u')
+ # sys-unconfig(1M) knows how to remove ssh host keys, so there's
+ # nothing to do here.
+ :
+ ;;
+
+ # SMF arguments (start and restart [really "refresh"])
+'start')
+ @PREFIX@/sbin/sshd
+ ;;
+
+'restart')
+ if [ -f "$PIDFILE" ]; then
+ /usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
+ fi
+ ;;
+
+*)
+ echo "Usage: $0 { start | restart }"
+ exit 1
+ ;;
+esac
+
+exit $?
diff --git a/openssh/files/sshd.sh b/openssh/files/sshd.sh
new file mode 100644
index 0000000000..8493e047e4
--- /dev/null
+++ b/openssh/files/sshd.sh
@@ -0,0 +1,115 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
+#
+# PROVIDE: sshd
+# REQUIRE: DAEMON LOGIN
+
+if [ -f /etc/rc.subr ]
+then
+ . /etc/rc.subr
+fi
+
+name="sshd"
+rcvar=$name
+command="@PREFIX@/sbin/${name}"
+keygen_command="@PREFIX@/bin/ssh-keygen"
+pidfile="@SSH_PID_DIR@/${name}.pid"
+required_files="@PKG_SYSCONFDIR@/sshd_config"
+extra_commands="keygen reload"
+
+sshd_keygen()
+{
+ (
+ umask 022
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
+ @ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
+ @ECHO@ "Skipping protocol version 2 DSA Key Generation"
+ else
+ ${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
+ fi
+
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
+ @ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
+ @ECHO@ "Skipping protocol version 2 RSA Key Generation"
+ else
+ ${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
+ fi
+# HAVE_ECDSA_START
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
+ @ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
+ @ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
+ else
+ ${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
+ fi
+# HAVE_ECDSA_STOP
+# HAVE_ED25519_START
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+ @ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
+ @ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
+ else
+ ${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
+ fi
+# HAVE_ED25519_STOP
+ )
+}
+
+sshd_precmd()
+{
+ if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+ if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+ then
+ run_rc_command keygen
+ else
+ eval ${keygen_cmd}
+ fi
+ fi
+}
+
+keygen_cmd=sshd_keygen
+start_precmd=sshd_precmd
+
+if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+then
+ load_rc_config $name
+ run_rc_command "$1"
+else
+ case ${1:-start} in
+ start)
+ if [ -x ${command} -a -f ${required_files} ]
+ then
+ @ECHO@ "Starting ${name}."
+ eval ${start_precmd}
+ eval ${command} ${sshd_flags} ${command_args}
+ fi
+ ;;
+ stop)
+ if [ -f ${pidfile} ]; then
+ pid=`@HEAD@ -1 ${pidfile}`
+ @ECHO@ "Stopping ${name}."
+ kill -TERM ${pid}
+ else
+ @ECHO@ "${name} not running?"
+ fi
+ ;;
+ restart)
+ ( $0 stop )
+ sleep 1
+ $0 start
+ ;;
+ status)
+ if [ -f ${pidfile} ]; then
+ pid=`@HEAD@ -1 ${pidfile}`
+ @ECHO@ "${name} is running as pid ${pid}."
+ else
+ @ECHO@ "${name} is not running."
+ fi
+ ;;
+ keygen)
+ eval ${keygen_cmd}
+ ;;
+ esac
+fi
diff --git a/openssh/options.mk b/openssh/options.mk
new file mode 100644
index 0000000000..6e941d6b5b
--- /dev/null
+++ b/openssh/options.mk
@@ -0,0 +1,51 @@
+# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
+
+PKG_OPTIONS_VAR= PKG_OPTIONS.openssh
+PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam
+PKG_SUGGESTED_OPTIONS= editline openssl
+
+.include "../../mk/bsd.prefs.mk"
+
+.if ${OPSYS} == "NetBSD"
+PKG_SUGGESTED_OPTIONS+= pam
+.endif
+
+.include "../../mk/bsd.options.mk"
+
+.if !empty(PKG_OPTIONS:Mopenssl)
+.include "../../security/openssl/buildlink3.mk"
+CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
+.else
+CONFIGURE_ARGS+= --without-openssl
+.endif
+
+.if !empty(PKG_OPTIONS:Mkerberos)
+. include "../../mk/krb5.buildlink3.mk"
+CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE}
+. if ${KRB5_TYPE} == "mit-krb5"
+CONFIGURE_ENV+= ac_cv_search_k_hasafs=no
+. endif
+.endif
+
+#.if !empty(PKG_OPTIONS:Mhpn-patch)
+#PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
+#PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
+#PATCH_DIST_STRIP= -p1
+#.endif
+
+PLIST_VARS+= pam
+
+.if !empty(PKG_OPTIONS:Mpam)
+.include "../../mk/pam.buildlink3.mk"
+CONFIGURE_ARGS+= --with-pam
+MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam
+MESSAGE_SUBST+= EGDIR=${EGDIR}
+. if ${OPSYS} == "Linux"
+PLIST.pam= yes
+. endif
+.endif
+
+.if !empty(PKG_OPTIONS:Meditline)
+.include "../../devel/editline/buildlink3.mk"
+CONFIGURE_ARGS+= --with-libedit=${BUILDLINK_PREFIX.editline}
+.endif
diff --git a/openssh/patches/patch-Makefile.in b/openssh/patches/patch-Makefile.in
new file mode 100644
index 0000000000..969eab46e7
--- /dev/null
+++ b/openssh/patches/patch-Makefile.in
@@ -0,0 +1,31 @@
+$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+Removed install-sysconf as we handle that phase through post-install
+
+--- Makefile.in.orig 2018-10-17 00:01:20.000000000 +0000
++++ Makefile.in
+@@ -1,5 +1,5 @@
+ # uncomment if you run a non bourne compatible shell. Ie. csh
+-#SHELL = @SH@
++SHELL = @SH@
+
+ AUTORECONF=autoreconf
+
+@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
+ DESTDIR=
+ VPATH=@srcdir@
+ SSH_PROGRAM=@bindir@/ssh
+-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
++#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+@@ -320,7 +320,7 @@ distprep: catman-do depend-check
+ -rm -rf autom4te.cache .depend.bak
+
+ install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
++install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+
+ check-config:
diff --git a/openssh/patches/patch-auth-passwd.c b/openssh/patches/patch-auth-passwd.c
new file mode 100644
index 0000000000..68ed2fc1ec
--- /dev/null
+++ b/openssh/patches/patch-auth-passwd.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ auth-passwd.c
+@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
+ return 0;
+
+ #ifndef HAVE_CYGWIN
+- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
++ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
+ ok = 0;
+ #endif
+ if (*password == '\0' && options.permit_empty_passwd == 0)
+@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
+ authctxt->force_pwchange = 1;
+ }
+ #endif
++#ifdef HAVE_INTERIX
++ result = (!setuser(pw->pw_name, password, SU_CHECK));
++#else
+ result = sys_auth_passwd(ssh, password);
++#endif
+ if (authctxt->force_pwchange)
+ auth_restrict_session(ssh);
+ return (result && ok);
diff --git a/openssh/patches/patch-auth-rhosts.c b/openssh/patches/patch-auth-rhosts.c
new file mode 100644
index 0000000000..fef060635c
--- /dev/null
+++ b/openssh/patches/patch-auth-rhosts.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-rhosts.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ auth-rhosts.c
+@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ * If not logging in as superuser, try /etc/hosts.equiv and
+ * shosts.equiv.
+ */
+- if (pw->pw_uid == 0)
++ if (pw->pw_uid == ROOTUID)
+ debug3("%s: root user, ignoring system hosts files", __func__);
+ else {
+ if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
+@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ return 0;
+ }
+ if (options.strict_modes &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Rhosts authentication refused for %.100s: "
+ "bad ownership or modes for home directory.", pw->pw_name);
+@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ * allowing access to their account by anyone.
+ */
+ if (options.strict_modes &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
+ pw->pw_name, buf);
diff --git a/openssh/patches/patch-auth.c b/openssh/patches/patch-auth.c
new file mode 100644
index 0000000000..719484c161
--- /dev/null
+++ b/openssh/patches/patch-auth.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+* Replace uid 0 with ROOTUID macro.
+* Use login_getpwclass() instead of login_getclass() so that the root
+ vs. default login class distinction is made correctly, from FrrrBSD's
+ ports.
+
+--- auth.c.orig 2019-05-01 11:28:52.028281617 +0000
++++ auth.c
+@@ -472,7 +472,7 @@ check_key_in_hostfiles(struct passwd *pw
+ user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
+ if (options.strict_modes &&
+ (stat(user_hostfile, &st) == 0) &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Authentication refused for %.100s: "
+ "bad owner or modes for %.200s",
+@@ -599,7 +599,7 @@ getpwnamallow(struct ssh *ssh, const cha
+ if (!allowed_user(ssh, pw))
+ return (NULL);
+ #ifdef HAVE_LOGIN_CAP
+- if ((lc = login_getclass(pw->pw_class)) == NULL) {
++ if ((lc = login_getpwclass(pw->pw_class)) == NULL) {
+ debug("unable to get login class: %s", user);
+ return (NULL);
+ }
diff --git a/openssh/patches/patch-auth2.c b/openssh/patches/patch-auth2.c
new file mode 100644
index 0000000000..2182d4afc7
--- /dev/null
+++ b/openssh/patches/patch-auth2.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth2.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ auth2.c
+@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
+ fatal("INTERNAL ERROR: authenticated and postponed");
+
+ /* Special handling for root */
+- if (authenticated && authctxt->pw->pw_uid == 0 &&
++ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
+ !auth_root_allowed(ssh, method)) {
+ authenticated = 0;
+ #ifdef SSH_AUDIT_EVENTS
diff --git a/openssh/patches/patch-clientloop.c b/openssh/patches/patch-clientloop.c
new file mode 100644
index 0000000000..1089e0330c
--- /dev/null
+++ b/openssh/patches/patch-clientloop.c
@@ -0,0 +1,63 @@
+$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
+
+Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
+
+https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
+
+--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000
++++ clientloop.c
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
+ struct stat st;
+ u_int now, x11_timeout_real;
+
++#if __APPLE__
++ int is_path_to_socket = 0;
++#endif /* __APPLE__ */
++
+ *_proto = proto;
+ *_data = data;
+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
+@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
+ }
+
+ if (xauth_path != NULL) {
++#if __APPLE__
++ {
++ /*
++ * If using launchd socket, remove the screen number from the end
++ * of $DISPLAY. is_path_to_socket is used later in this function
++ * to determine if an error should be displayed.
++ */
++ char path[PATH_MAX];
++ struct stat sbuf;
++
++ strlcpy(path, display, sizeof(path));
++ if (0 == stat(path, &sbuf)) {
++ is_path_to_socket = 1;
++ } else {
++ char *dot = strrchr(path, '.');
++ if (dot) {
++ *dot = '\0';
++ /* screen = atoi(dot + 1); */
++ if (0 == stat(path, &sbuf)) {
++ is_path_to_socket = 1;
++ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
++ setenv("DISPLAY", path, 1);
++ }
++ }
++ }
++ }
++#endif /* __APPLE__ */
+ /*
+ * Handle FamilyLocal case where $DISPLAY does
+ * not match an authorization entry. For this we
+@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
+ u_int8_t rnd[16];
+ u_int i;
+
++#if __APPLE__
++ if (!is_path_to_socket)
++#endif /* __APPLE__ */
+ logit("Warning: No xauth data; "
+ "using fake authentication data for X11 forwarding.");
+ strlcpy(proto, SSH_X11_PROTO, sizeof proto);
diff --git a/openssh/patches/patch-config.h.in b/openssh/patches/patch-config.h.in
new file mode 100644
index 0000000000..c1bb668067
--- /dev/null
+++ b/openssh/patches/patch-config.h.in
@@ -0,0 +1,37 @@
+$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+* Added Interix and define new path to if_tun.h.
+* Revive tcp_wrappers support.
+
+--- config.h.in.orig 2018-10-19 01:06:33.000000000 +0000
++++ config.h.in
+@@ -741,6 +741,9 @@
+ /* define if you have int64_t data type */
+ #undef HAVE_INT64_T
+
++/* Define if you are on Interix */
++#undef HAVE_INTERIX
++
+ /* Define to 1 if the system has the type `intmax_t'. */
+ #undef HAVE_INTMAX_T
+
+@@ -910,6 +913,9 @@
+ /* Define to 1 if you have the <net/route.h> header file. */
+ #undef HAVE_NET_ROUTE_H
+
++/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
++#undef HAVE_NET_TUN_IF_TUN_H
++
+ /* Define if you are on NeXT */
+ #undef HAVE_NEXT
+
+@@ -1617,6 +1623,9 @@
+ /* Define if pututxline updates lastlog too */
+ #undef LASTLOG_WRITE_PUTUTXLINE
+
++/* Define if you want TCP Wrappers support */
++#undef LIBWRAP
++
+ /* Define to whatever link() returns for "not supported" if it doesn't return
+ EOPNOTSUPP. */
+ #undef LINK_OPNOTSUPP_ERRNO
diff --git a/openssh/patches/patch-configure.ac b/openssh/patches/patch-configure.ac
new file mode 100644
index 0000000000..ec50365d8e
--- /dev/null
+++ b/openssh/patches/patch-configure.ac
@@ -0,0 +1,138 @@
+$NetBSD$
+
+--- configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
++++ configure.ac
+@@ -294,6 +294,9 @@ AC_ARG_WITH([rpath],
+ ]
+ )
+
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ AC_ARG_WITH([cflags],
+ [ --with-cflags Specify additional flags to pass to compiler],
+@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
+ maillock.h \
+ ndir.h \
+ net/if_tun.h \
++ net/tun/if_tun.h \
+ netdb.h \
+ netgroup.h \
+ pam/pam_appl.h \
+@@ -737,6 +741,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+ ;;
+ esac
+ ;;
++*-*-interix*)
++ AC_DEFINE(HAVE_INTERIX)
++ AC_DEFINE(DISABLE_FD_PASSING)
++ AC_DEFINE(DISABLE_SHADOW)
++ AC_DEFINE(IP_TOS_IS_BROKEN)
++ AC_DEFINE(MISSING_HOWMANY)
++ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
++ AC_DEFINE(USE_PIPES)
++ ;;
+ *-*-irix5*)
+ PATH="$PATH:/usr/etc"
+ AC_DEFINE([BROKEN_INET_NTOA], [1],
+@@ -1494,6 +1507,62 @@ else
+ AC_MSG_RESULT([no])
+ fi
+
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++ saved_LIBS="$LIBS"
++ saved_LDFLAGS="$LDFLAGS"
++ saved_CPPFLAGS="$CPPFLAGS"
++ if test -n "${withval}" && \
++ test "x${withval}" != "xyes"; then
++ if test -d "${withval}/lib"; then
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ else
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval} ${LDFLAGS}"
++ fi
++ fi
++ if test -d "${withval}/include"; then
++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++ else
++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
++ fi
++ fi
++ LIBS="-lwrap $LIBS"
++ AC_MSG_CHECKING([for libwrap])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++ ]], [[
++ hosts_access(0);
++ ]])], [
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([LIBWRAP], [1],
++ [Define if you want
++ TCP Wrappers support])
++ SSHDLIBS="$SSHDLIBS -lwrap"
++ TCPW_MSG="yes"
++ ], [
++ AC_MSG_ERROR([*** libwrap missing])
++
++ ])
++ LIBS="$saved_LIBS"
++ fi
++ ]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5129,9 +5198,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ ])
+ if test -z "$conf_wtmpx_location"; then
+ if test x"$system_wtmpx_path" = x"no" ; then
+- AC_DEFINE([DISABLE_WTMPX])
++ for f in /var/log/wtmpx; do
++ if test -f $f ; then
++ conf_wtmpx_location=$f
++ fi
++ done
++ if test -z "$conf_wtmpx_location"; then
++ AC_DEFINE(DISABLE_WTMPX)
++ fi
+ fi
+-else
++fi
++if test -n "$conf_wtmpx_location"; then
+ AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
+ [Define if you want to specify the path to your wtmpx file])
+ fi
+@@ -5223,7 +5300,7 @@ echo "OpenSSH has been configured with t
+ echo " User binaries: $B"
+ echo " System binaries: $C"
+ echo " Configuration files: $D"
+-echo " Askpass program: $E"
++echo " Askpass program: ${ASKPASS_PROGRAM}"
+ echo " Manual pages: $F"
+ echo " PID file: $G"
+ echo " Privilege separation chroot path: $H"
+@@ -5245,6 +5322,7 @@ echo " PAM support
+ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
++echo " TCP Wrappers support: $TCPW_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " libldns support: $LDNS_MSG"
diff --git a/openssh/patches/patch-defines.h b/openssh/patches/patch-defines.h
new file mode 100644
index 0000000000..63788b31ba
--- /dev/null
+++ b/openssh/patches/patch-defines.h
@@ -0,0 +1,47 @@
+$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Define ROOTUID, UTMPX_FILE and WTMPX_FILE
+
+--- defines.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ defines.h
+@@ -30,6 +30,15 @@
+
+ /* Constants */
+
++#ifdef HAVE_INTERIX
++/* Interix has a special concept of "administrator". */
++# define ROOTUID 197108
++# define ROOTGID 131616
++#else
++# define ROOTUID 0
++# define ROOTGID 0
++#endif
++
+ #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
+ enum
+ {
+@@ -721,6 +730,24 @@ struct winsize {
+ # endif
+ # endif
+ #endif
++#ifndef UTMPX_FILE
++# ifdef _PATH_UTMPX
++# define UTMPX_FILE _PATH_UTMPX
++# else
++# ifdef CONF_UTMPX_FILE
++# define UTMPX_FILE CONF_UTMPX_FILE
++# endif
++# endif
++#endif
++#ifndef WTMPX_FILE
++# ifdef _PATH_WTMPX
++# define WTMPX_FILE _PATH_WTMPX
++# else
++# ifdef CONF_WTMPX_FILE
++# define WTMPX_FILE CONF_WTMPX_FILE
++# endif
++# endif
++#endif
+ /* pick up the user's location for lastlog if given */
+ #ifndef LASTLOG_FILE
+ # ifdef _PATH_LASTLOG
diff --git a/openssh/patches/patch-includes.h b/openssh/patches/patch-includes.h
new file mode 100644
index 0000000000..5e54a9dcd8
--- /dev/null
+++ b/openssh/patches/patch-includes.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- includes.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ includes.h
+@@ -127,6 +127,10 @@
+ #ifdef HAVE_READPASSPHRASE_H
+ # include <readpassphrase.h>
+ #endif
++#ifdef HAVE_INTERIX
++# include <interix/env.h>
++# include <interix/security.h>
++#endif
+
+ #ifdef HAVE_IA_H
+ # include <ia.h>
diff --git a/openssh/patches/patch-loginrec.c b/openssh/patches/patch-loginrec.c
new file mode 100644
index 0000000000..fa56d5a158
--- /dev/null
+++ b/openssh/patches/patch-loginrec.c
@@ -0,0 +1,68 @@
+$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support and related fixes. Fix build on FreeBSD.
+
+--- loginrec.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ loginrec.c
+@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
+ int
+ login_write(struct logininfo *li)
+ {
+-#ifndef HAVE_CYGWIN
+- if (geteuid() != 0) {
++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
++ if (geteuid() != ROOTUID) {
+ logit("Attempt to write login records by non-root user (aborting)");
+ return (1);
+ }
+@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
+
+ /* set the timestamp */
+ login_set_current_time(li);
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && (HAVE_UTMP_H)
+ syslogin_write_entry(li);
+ #endif
+ #ifdef USE_LASTLOG
+@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
+ ** into account.
+ **/
+
+-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
++#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
+
+ /* build the utmp structure */
+ void
+@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
+ set_utmpx_time(li, utx);
+ utx->ut_pid = li->pid;
+
+- /* strncpy(): Don't necessarily want null termination */
+- strncpy(utx->ut_user, li->username,
+- MIN_SIZEOF(utx->ut_user, li->username));
+-
+ if (li->type == LTYPE_LOGOUT)
+ return;
+
+@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
+ * for logouts.
+ */
+
++ /* strncpy(): Don't necessarily want null termination */
++#if defined(__FreeBSD__)
++ strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
++#else
++ strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
++#endif
+ # ifdef HAVE_HOST_IN_UTMPX
+ strncpy(utx->ut_host, li->hostname,
+ MIN_SIZEOF(utx->ut_host, li->hostname));
+@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
+ ** Low-level libutil login() functions
+ **/
+
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
+ static int
+ syslogin_perform_login(struct logininfo *li)
+ {
diff --git a/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/openssh/patches/patch-openbsd-compat_bsd-openpty.c
new file mode 100644
index 0000000000..adbacbee3a
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_bsd-openpty.c
@@ -0,0 +1,22 @@
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
+
+Interix support
+
+--- openbsd-compat/bsd-openpty.c.orig 2016-12-19 04:59:41.000000000 +0000
++++ openbsd-compat/bsd-openpty.c
+@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char
+ return (-1);
+ }
+
++#if !defined(HAVE_INTERIX)
+ /*
+ * Try to push the appropriate streams modules, as described
+ * in Solaris pts(7).
+@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char
+ # ifndef __hpux
+ ioctl(*aslave, I_PUSH, "ttcompat");
+ # endif /* __hpux */
++#endif /* !HAVE_INTERIX */
+
+ return (0);
+
diff --git a/openssh/patches/patch-openbsd-compat_openbsd-compat.h b/openssh/patches/patch-openbsd-compat_openbsd-compat.h
new file mode 100644
index 0000000000..771757f15f
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_openbsd-compat.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+strtoll() declaration
+
+--- openbsd-compat/openbsd-compat.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ openbsd-compat/openbsd-compat.h
+@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
+ int setenv(register const char *name, register const char *value, int rewrite);
+ #endif
+
++#ifndef HAVE_STRTOLL
++long long strtoll(const char *, char **, int);
++#endif
++
+ #ifndef HAVE_STRMODE
+ void strmode(int mode, char *p);
+ #endif
diff --git a/openssh/patches/patch-openbsd-compat_port-tun.c b/openssh/patches/patch-openbsd-compat_port-tun.c
new file mode 100644
index 0000000000..e538617426
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_port-tun.c
@@ -0,0 +1,45 @@
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
+
+if_tun.h can be found in net/tun
+
+--- openbsd-compat/port-net.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ openbsd-compat/port-net.c
+@@ -1,3 +1,4 @@
++
+ /*
+ * Copyright (c) 2005 Reyk Floeter <reyk%openbsd.org@localhost>
+ *
+@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i
+ #include <sys/socket.h>
+ #include <net/if.h>
+
++#ifdef HAVE_NET_TUN_IF_TUN_H
++#include <net/tun/if_tun.h>
++#endif
++
+ #ifdef HAVE_NET_IF_TUN_H
+ #include <net/if_tun.h>
+ #endif
+@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i
+ {
+ struct ifreq ifr;
+ char name[100];
+- int fd = -1, sock, flag;
++ int fd = -1, sock;
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
++ int flag;
++#endif
+ const char *tunbase = "tun";
+
+ if (ifname != NULL)
+@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i
+ return (-1);
+ }
+
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ /* Turn on tunnel headers */
+ flag = 1;
+-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ if (mode != SSH_TUNMODE_ETHERNET &&
+ ioctl(fd, TUNSIFHEAD, &flag) == -1) {
+ debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
diff --git a/openssh/patches/patch-platform.c b/openssh/patches/patch-platform.c
new file mode 100644
index 0000000000..fe837c1b5a
--- /dev/null
+++ b/openssh/patches/patch-platform.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- platform.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ platform.c
+@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
+ /* uid 0 is not special on Cygwin so always try */
+ return 1;
+ #else
++#if !defined(HAVE_INTERIX)
+ return (getuid() == 0 || geteuid() == 0);
++#endif /* !HAVE_INTERIX */
+ #endif
+ }
+
diff --git a/openssh/patches/patch-sandbox-darwin.c b/openssh/patches/patch-sandbox-darwin.c
new file mode 100644
index 0000000000..b6624a068e
--- /dev/null
+++ b/openssh/patches/patch-sandbox-darwin.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+Support sandbox on newer OSX, from MacPorts.
+
+--- sandbox-darwin.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ sandbox-darwin.c
+@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+ struct rlimit rl_zero;
+
+ debug3("%s: starting Darwin sandbox", __func__);
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++#ifndef SANDBOX_NAMED_EXTERNAL
++#define SANDBOX_NAMED_EXTERNAL (0x3)
++#endif
++ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
++ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
++#else
+ if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
+ &errmsg) == -1)
++#endif
+ fatal("%s: sandbox_init: %s", __func__, errmsg);
+
+ /*
diff --git a/openssh/patches/patch-scp.c b/openssh/patches/patch-scp.c
new file mode 100644
index 0000000000..415ddfbc2b
--- /dev/null
+++ b/openssh/patches/patch-scp.c
@@ -0,0 +1,39 @@
+$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- scp.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ scp.c
+@@ -478,7 +478,11 @@ main(int argc, char **argv)
+ argc -= optind;
+ argv += optind;
+
++#ifdef HAVE_INTERIX
++ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
++#else
+ if ((pwd = getpwuid(userid = getuid())) == NULL)
++#endif
+ fatal("unknown user %u", (u_int) userid);
+
+ if (!isatty(STDOUT_FILENO))
+@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
+ return;
+ }
+ while ((dp = readdir(dirp)) != NULL) {
++#ifndef HAVE_INTERIX
+ if (dp->d_ino == 0)
+ continue;
++#endif
+ if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+ continue;
+ if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
+@@ -1297,7 +1303,9 @@ okname(char *cp0)
+ case '\'':
+ case '"':
+ case '`':
++#ifndef HAVE_INTERIX
+ case ' ':
++#endif
+ case '#':
+ goto bad;
+ default:
diff --git a/openssh/patches/patch-session.c b/openssh/patches/patch-session.c
new file mode 100644
index 0000000000..d0b9df8d7d
--- /dev/null
+++ b/openssh/patches/patch-session.c
@@ -0,0 +1,65 @@
+$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $
+
+* Interix support.
+
+--- session.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ session.c
+@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in
+ if (tmpenv == NULL)
+ return;
+
+- if (uid == 0)
++ if (uid == ROOTUID)
+ var = child_get_env(tmpenv, "SUPATH");
+ else
+ var = child_get_env(tmpenv, "PATH");
+@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s
+ # endif /* HAVE_ETC_DEFAULT_LOGIN */
+ if (path == NULL || *path == '\0') {
+ child_set_env(&env, &envsize, "PATH",
+- s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
++ s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH);
+ }
+ # endif /* HAVE_CYGWIN */
+ #endif /* HAVE_LOGIN_CAP */
+@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s
+ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
+ original_command);
+
++#ifdef HAVE_INTERIX
++ {
++ /* copy standard Windows environment, then apply changes */
++ env_t *winenv = env_login(pw);
++ env_putarray(winenv, env, ENV_OVERRIDE);
++
++ /* swap over to altered environment as a traditional array */
++ env = env_array(winenv);
++ }
++#endif
++
+ if (debug_flag) {
+ /* dump the environment */
+ fprintf(stderr, "Environment:\n");
+@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw)
+ perror("setgid");
+ exit(1);
+ }
++# if !defined(HAVE_INTERIX)
+ /* Initialize the group list. */
+ if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
+ perror("initgroups");
+ exit(1);
+ }
++# endif /* !HAVE_INTERIX */
+ endgrent();
+ #endif
+
+@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s)
+ record_logout(s->pid, s->tty, s->pw->pw_name);
+
+ /* Release the pseudo-tty. */
+- if (getuid() == 0)
++ if (getuid() == ROOTUID)
+ pty_release(s->tty);
+
+ /*
diff --git a/openssh/patches/patch-sftp-common.c b/openssh/patches/patch-sftp-common.c
new file mode 100644
index 0000000000..b17738bd7f
--- /dev/null
+++ b/openssh/patches/patch-sftp-common.c
@@ -0,0 +1,14 @@
+$NetBSD$
+
+--- sftp-common.c.orig 2019-04-17 22:52:57.000000000 +0000
++++ sftp-common.c
+@@ -36,7 +36,9 @@
+ #include <string.h>
+ #include <time.h>
+ #include <stdarg.h>
++#ifdef HAVE_UNISTD_H
+ #include <unistd.h>
++#endif
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
diff --git a/openssh/patches/patch-sshd.8 b/openssh/patches/patch-sshd.8
new file mode 100644
index 0000000000..085accf98c
--- /dev/null
+++ b/openssh/patches/patch-sshd.8
@@ -0,0 +1,27 @@
+$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+* Revive tcp_wrappers support.
+
+--- sshd.8.orig 2015-08-21 04:49:03.000000000 +0000
++++ sshd.8
+@@ -850,6 +850,12 @@ the user's home directory becomes access
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -953,6 +959,7 @@ The content of this file is not sensitiv
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/openssh/patches/patch-sshd.c b/openssh/patches/patch-sshd.c
new file mode 100644
index 0000000000..ccab150f1b
--- /dev/null
+++ b/openssh/patches/patch-sshd.c
@@ -0,0 +1,137 @@
+$NetBSD$
+
+--- sshd.c.orig 2019-04-17 22:52:57.000000000 +0000
++++ sshd.c
+@@ -123,6 +123,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
+@@ -235,7 +242,11 @@ static int *startup_flags = NULL; /* Ind
+ static int startup_pipe = -1; /* in child */
+
+ /* variables used for privilege separation */
++#ifdef HAVE_INTERIX
++int use_privsep = 0;
++#else
+ int use_privsep = -1;
++#endif
+ struct monitor *pmonitor = NULL;
+ int privsep_is_preauth = 1;
+ static int privsep_chroot = 1;
+@@ -467,10 +478,15 @@ privsep_preauth_child(void)
+ /* Drop our privileges */
+ debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+ (u_int)privsep_pw->pw_gid);
++#ifdef HAVE_INTERIX
++ if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
++ fatal("setuser: %.100s", strerror(errno));
++#else
+ gidset[0] = privsep_pw->pw_gid;
+ if (setgroups(1, gidset) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
+ permanently_set_uid(privsep_pw);
++#endif /* HAVE_INTERIX */
+ }
+ }
+
+@@ -534,10 +550,17 @@ privsep_preauth(struct ssh *ssh)
+ /* Arrange for logging to be sent to the monitor */
+ set_log_handler(mm_log_handler, pmonitor);
+
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++ /* We need to do this before we chroot() so we can read sshd.sb */
++ if (box != NULL)
++ ssh_sandbox_child(box);
++#endif
+ privsep_preauth_child();
+ setproctitle("%s", "[net]");
++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ if (box != NULL)
+ ssh_sandbox_child(box);
++#endif
+
+ return 0;
+ }
+@@ -549,7 +572,7 @@ privsep_postauth(struct ssh *ssh, Authct
+ #ifdef DISABLE_FD_PASSING
+ if (1) {
+ #else
+- if (authctxt->pw->pw_uid == 0) {
++ if (authctxt->pw->pw_uid == ROOTUID) {
+ #endif
+ /* File descriptor passing is broken or root login */
+ use_privsep = 0;
+@@ -1454,7 +1477,7 @@ main(int ac, char **av)
+ av = saved_argv;
+ #endif
+
+- if (geteuid() == 0 && setgroups(0, NULL) == -1)
++ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
+ debug("setgroups(): %.200s", strerror(errno));
+
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+@@ -1686,7 +1709,7 @@ main(int ac, char **av)
+ );
+
+ /* Store privilege separation user for later use if required. */
+- privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
++ privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
+ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+ if (privsep_chroot || options.kerberos_authentication)
+ fatal("Privilege separation user %s does not exist",
+@@ -1830,7 +1853,7 @@ main(int ac, char **av)
+ (st.st_uid != getuid () ||
+ (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+ #else
+- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
++ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+ #endif
+ fatal("%s must be owned by root and not group or "
+ "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
+@@ -1858,8 +1881,10 @@ main(int ac, char **av)
+ * to create a file, and we can't control the code in every
+ * module which might be used).
+ */
++#ifndef HAVE_INTERIX
+ if (setgroups(0, NULL) < 0)
+ debug("setgroups() failed: %.200s", strerror(errno));
++#endif
+
+ if (rexec_flag) {
+ if (rexec_argc < 0)
+@@ -2053,6 +2078,25 @@ main(int ac, char **av)
+ audit_connection_from(remote_ip, remote_port);
+ #endif
+
++#ifdef LIBWRAP
++ allow_severity = options.log_facility|LOG_INFO;
++ deny_severity = options.log_facility|LOG_WARNING;
++ /* Check whether logins are denied from this host. */
++ if (ssh_packet_connection_is_on_socket(ssh)) {
++ struct request_info req;
++
++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++ fromhost(&req);
++
++ if (!hosts_access(&req)) {
++ debug("Connection refused by tcp wrapper");
++ refuse(&req);
++ /* NOTREACHED */
++ fatal("libwrap refuse returns");
++ }
++ }
++#endif /* LIBWRAP */
++
+ rdomain = ssh_packet_rdomain_in(ssh);
+
+ /* Log the connection. */
diff --git a/openssh/patches/patch-sshpty.c b/openssh/patches/patch-sshpty.c
new file mode 100644
index 0000000000..c96ba181fe
--- /dev/null
+++ b/openssh/patches/patch-sshpty.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- sshpty.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ sshpty.c
+@@ -86,7 +86,7 @@ void
+ pty_release(const char *tty)
+ {
+ #if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
+- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
++ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
+ error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
+ if (chmod(tty, (mode_t) 0666) < 0)
+ error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
+@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
+ if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+ if (chown(tty, pw->pw_uid, gid) < 0) {
+ if (errno == EROFS &&
+- (st.st_uid == pw->pw_uid || st.st_uid == 0))
++ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
+ debug("chown(%.100s, %u, %u) failed: %.100s",
+ tty, (u_int)pw->pw_uid, (u_int)gid,
+ strerror(errno));
diff --git a/openssh/patches/patch-uidswap.c b/openssh/patches/patch-uidswap.c
new file mode 100644
index 0000000000..32a76c6922
--- /dev/null
+++ b/openssh/patches/patch-uidswap.c
@@ -0,0 +1,77 @@
+$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+Interix support
+
+--- uidswap.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ uidswap.c
+@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw)
+ (u_int)pw->pw_uid, (u_int)pw->pw_gid,
+ (u_int)saved_euid, (u_int)saved_egid);
+ #ifndef HAVE_CYGWIN
+- if (saved_euid != 0) {
++ if (saved_euid != ROOTUID) {
+ privileged = 0;
+ return;
+ }
+ #endif
+ #else
+- if (geteuid() != 0) {
++ if (geteuid() != ROOTUID) {
+ privileged = 0;
+ return;
+ }
+@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw)
+
+ /* set and save the user's groups */
+ if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
++#ifndef HAVE_INTERIX
+ if (initgroups(pw->pw_name, pw->pw_gid) < 0)
+ fatal("initgroups: %s: %.100s", pw->pw_name,
+ strerror(errno));
+-
++#endif
+ user_groupslen = getgroups(0, NULL);
+ if (user_groupslen < 0)
+ fatal("getgroups: %.100s", strerror(errno));
+@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw)
+ }
+ user_groups_uid = pw->pw_uid;
+ }
++#ifndef HAVE_INTERIX
+ /* Set the effective uid to the given (unprivileged) uid. */
+ if (setgroups(user_groupslen, user_groups) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
++#endif
+ #ifndef SAVED_IDS_WORK_WITH_SETEUID
+ /* Propagate the privileged gid to all of our gids. */
+ if (setgid(getegid()) < 0)
+@@ -166,8 +169,10 @@ restore_uid(void)
+ setgid(getgid());
+ #endif /* SAVED_IDS_WORK_WITH_SETEUID */
+
++#ifndef HAVE_INTERIX
+ if (setgroups(saved_egroupslen, saved_egroups) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
++#endif
+ temporarily_use_uid_effective = 0;
+ }
+
+@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw)
+ debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
+ (u_int)pw->pw_gid);
+
++#if defined(HAVE_INTERIX)
++ if (setuser(pw->pw_name, NULL, SU_COMPLETE))
++ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
++#else
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
+ fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+
+@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw)
+ (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+ fatal("%s: was able to restore old [e]uid", __func__);
+ #endif
++#endif /* HAVE_INTERIX */
+
+ /* Verify UID drop was successful */
+ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
diff --git a/openssh/t b/openssh/t
new file mode 100644
index 0000000000..1b533975cb
--- /dev/null
+++ b/openssh/t
@@ -0,0 +1,136 @@
+--- /var/tmp/pkgsrc-obj/security/openssh/work/openssh-8.0p1/configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
++++ /var/tmp/pkgsrc-obj/security/openssh/work/openssh-8.0p1/configure.ac 2019-05-01 12:11:27.813134298 +0000
+@@ -294,6 +294,9 @@
+ ]
+ )
+
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ AC_ARG_WITH([cflags],
+ [ --with-cflags Specify additional flags to pass to compiler],
+@@ -387,6 +390,7 @@
+ maillock.h \
+ ndir.h \
+ net/if_tun.h \
++ net/tun/if_tun.h \
+ netdb.h \
+ netgroup.h \
+ pam/pam_appl.h \
+@@ -737,6 +741,15 @@
+ ;;
+ esac
+ ;;
++*-*-interix*)
++ AC_DEFINE(HAVE_INTERIX)
++ AC_DEFINE(DISABLE_FD_PASSING)
++ AC_DEFINE(DISABLE_SHADOW)
++ AC_DEFINE(IP_TOS_IS_BROKEN)
++ AC_DEFINE(MISSING_HOWMANY)
++ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
++ AC_DEFINE(USE_PIPES)
++ ;;
+ *-*-irix5*)
+ PATH="$PATH:/usr/etc"
+ AC_DEFINE([BROKEN_INET_NTOA], [1],
+@@ -1494,6 +1507,62 @@
+ AC_MSG_RESULT([no])
+ fi
+
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++ saved_LIBS="$LIBS"
++ saved_LDFLAGS="$LDFLAGS"
++ saved_CPPFLAGS="$CPPFLAGS"
++ if test -n "${withval}" && \
++ test "x${withval}" != "xyes"; then
++ if test -d "${withval}/lib"; then
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ else
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval} ${LDFLAGS}"
++ fi
++ fi
++ if test -d "${withval}/include"; then
++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++ else
++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
++ fi
++ fi
++ LIBS="-lwrap $LIBS"
++ AC_MSG_CHECKING([for libwrap])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++ ]], [[
++ hosts_access(0);
++ ]])], [
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([LIBWRAP], [1],
++ [Define if you want
++ TCP Wrappers support])
++ SSHDLIBS="$SSHDLIBS -lwrap"
++ TCPW_MSG="yes"
++ ], [
++ AC_MSG_ERROR([*** libwrap missing])
++
++ ])
++ LIBS="$saved_LIBS"
++ fi
++ ]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5129,9 +5198,17 @@
+ ])
+ if test -z "$conf_wtmpx_location"; then
+ if test x"$system_wtmpx_path" = x"no" ; then
+- AC_DEFINE([DISABLE_WTMPX])
++ for f in /var/log/wtmpx; do
++ if test -f $f ; then
++ conf_wtmpx_location=$f
++ fi
++ done
++ if test -z "$conf_wtmpx_location"; then
++ AC_DEFINE(DISABLE_WTMPX)
++ fi
+ fi
+-else
++fi
++if test -n "$conf_wtmpx_location"; then
+ AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
+ [Define if you want to specify the path to your wtmpx file])
+ fi
+@@ -5223,7 +5300,7 @@
+ echo " User binaries: $B"
+ echo " System binaries: $C"
+ echo " Configuration files: $D"
+-echo " Askpass program: $E"
++echo " Askpass program: ${ASKPASS_PROGRAM}"
+ echo " Manual pages: $F"
+ echo " PID file: $G"
+ echo " Privilege separation chroot path: $H"
+@@ -5245,6 +5322,7 @@
+ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
++echo " TCP Wrappers support: $TCPW_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " libldns support: $LDNS_MSG"
diff --git a/openssh8/DESCR b/openssh8/DESCR
new file mode 100644
index 0000000000..764ae7f090
--- /dev/null
+++ b/openssh8/DESCR
@@ -0,0 +1,14 @@
+OpenSSH is based on the last free version of Tatu Ylonen's SSH with
+all patent-encumbered algorithms removed (to external libraries), all
+known security bugs fixed, new features reintroduced and many other
+clean-ups. More information about SSH itself can be found in the file
+README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
+Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
+
+This port consists of the re-introduction of autoconf support, PAM
+support (for Linux and Solaris), EGD[1] support, SOCKS support (using
+the Dante [6] libraries and replacements for OpenBSD library functions
+that are (regrettably) absent from other unices. This port has been
+best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
+SCO, NeXT and other Unices is underway. This version actively tracks
+changes in the OpenBSD CVS repository.
diff --git a/openssh8/INSTALL b/openssh8/INSTALL
new file mode 100644
index 0000000000..8b8d1d310e
--- /dev/null
+++ b/openssh8/INSTALL
@@ -0,0 +1,36 @@
+# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
+
+DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
+FILES="sshd.conf sshd_config"
+
+case ${STAGE} in
+POST-INSTALL)
+ for dir in $DIRS; do
+ if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
+ for file in $FILES; do
+ path=$dir/$file
+ if [ -f $path ]; then
+ ${CAT} <<EOF
+===========================================================================
+
+ *===* NOTICE *===*
+
+WARNING: previous configuration file $path found.
+
+The config files for ${PKGNAME} must be located in:
+
+ @PKG_SYSCONFDIR@
+
+You will need to ensure your configuration files and/or keys are
+placed in the correct directory before using ${PKGNAME}.
+
+===========================================================================
+EOF
+
+ exit
+ fi
+ done
+ fi
+ done
+ ;;
+esac
diff --git a/openssh8/MESSAGE.Interix b/openssh8/MESSAGE.Interix
new file mode 100644
index 0000000000..ee57d65d24
--- /dev/null
+++ b/openssh8/MESSAGE.Interix
@@ -0,0 +1,20 @@
+===========================================================================
+$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
+
+OpenSSH on Interix has some important caveats:
+
+* Hostname resolution uses the BIND resolver library rather than Windows
+ native lookup services. This requires that /etc/resolv.conf be set up
+ properly with a "nameserver" line; see resolv.conf(5). In most
+ installations, this was generated automatically when Services for UNIX
+ was installed (based on the name server in use at that time).
+
+* Currently, UsePrivilegeSeparation does not work properly, so it defaults
+ to "no" on Interix.
+
+* Network drives and encrypted local files may not be accessible after
+ logging in through sshd thanks to the way the Windows security API works.
+ A workaround is to "exec su USERNAME" after logging in, which will use
+ the password to create a proper Windows access credential key.
+
+===========================================================================
diff --git a/openssh8/MESSAGE.pam b/openssh8/MESSAGE.pam
new file mode 100644
index 0000000000..e111287144
--- /dev/null
+++ b/openssh8/MESSAGE.pam
@@ -0,0 +1,9 @@
+===========================================================================
+$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
+
+To authenticate for SSH using PAM, add the contents of the file:
+
+ ${EGDIR}/sshd.pam
+
+to your PAM configuration file (or PAM configuration directory).
+===========================================================================
diff --git a/openssh8/Makefile b/openssh8/Makefile
new file mode 100644
index 0000000000..0f497cfb75
--- /dev/null
+++ b/openssh8/Makefile
@@ -0,0 +1,209 @@
+# $NetBSD: Makefile,v 1.258 2019/04/25 14:55:04 tron Exp $
+
+DISTNAME= openssh-8.0p1
+PKGNAME= ${DISTNAME:S/p1/.1/}
+PKGREVISION= 1
+CATEGORIES= security
+MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
+
+MAINTAINER= pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE= http://www.openssh.com/
+COMMENT= Open Source Secure shell client and server (remote login program)
+LICENSE= modified-bsd
+
+CONFLICTS= sftp-[0-9]*
+CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
+CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
+CONFLICTS+= openssh+gssapi-[0-9]*
+CONFLICTS+= lsh>2.0
+BROKEN_ON_PLATFORM+= OpenBSD-*-*
+
+USE_GCC_RUNTIME= yes
+USE_TOOLS+= autoconf perl
+
+# retain the following line, for IPv6-ready pkgsrc webpage
+BUILD_DEFS+= IPV6_READY
+
+PKG_GROUPS_VARS+= OPENSSH_GROUP
+PKG_USERS_VARS+= OPENSSH_USER
+BUILD_DEFS+= OPENSSH_CHROOT
+BUILD_DEFS+= VARBASE
+
+INSTALL_TARGET= install-nokeys
+
+.include "options.mk"
+
+# fixes: dyld: Symbol not found: _allow_severity
+CONFIGURE_ARGS.Darwin+= --disable-strip
+
+# OpenSSH on Interix has some important caveats
+.if ${OPSYS} == "Interix"
+MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
+CONFIGURE_ENV+= ac_cv_func_openpty=no
+CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
+CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
+. if exists(/usr/local/include/bind/resolv.h)
+CPPFLAGS+= -I/usr/local/include/bind
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
+. elif exists(/usr/local/bind/include/resolv.h)
+CPPFLAGS+= -I/usr/local/bind/include
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
+. endif
+LDFLAGS+= -L/usr/local/lib/bind
+LIBS+= -lbind -ldb -lcrypt
+
+.else # not Interix
+
+PKG_GROUPS= ${OPENSSH_GROUP}
+PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
+
+PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
+PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
+
+.endif
+
+SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
+
+PKG_SYSCONFSUBDIR= ssh
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --with-mantype=man
+CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR}
+CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
+
+.if ${OPSYS} != "Interix"
+CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
+CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER}
+.endif
+
+# pkgsrc already enforces a "secure" version of zlib via dependencies,
+# so skip this bogus version check.
+CONFIGURE_ARGS+= --without-zlib-version-check
+
+.if ${_PKGSRC_MKPIE} != "no"
+CONFIGURE_ARGS+= --with-pie
+.endif
+
+# the openssh configure script finds and uses ${LD} if defined and
+# defaults to ${CC} if not. we override LD here, since running the
+# linker directly results in undefined symbols for obvious reasons.
+#
+CONFIGURE_ENV+= LD=${CC:Q}
+
+# Enable S/Key support on NetBSD, Darwin, and Solaris.
+.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
+. include "../../security/skey/buildlink3.mk"
+CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
+.else
+CONFIGURE_ARGS+= --without-skey
+.endif
+
+.if (${OPSYS} == "NetBSD")
+. if exists(/usr/include/utmpx.h)
+# if we have utmpx et al do not try to use login()
+CONFIGURE_ARGS+= --disable-libutil
+. endif
+#
+# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
+# prior version don't have it. So, disable use of strnvis(3) now.
+#
+CONFIGURE_ENV+= ac_cv_func_strnvis=no
+#
+# workaround for ./configure problem, pkg/50936
+#
+CONFIGURE_ENV+= ac_cv_func_reallocarray=no
+.endif
+
+.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
+CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
+.endif
+
+CONFIGURE_ARGS.Linux+= --enable-md5-password
+
+# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
+# on if it's part of the X11 distribution, or if it's installed from pkgsrc
+# (security/ssh-askpass).
+#
+.if exists(${X11BASE}/bin/ssh-askpass)
+ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
+.else
+ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass
+.endif
+CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+
+# do the same for xauth
+.if exists(${X11BASE}/bin/xauth)
+CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
+.else
+CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth
+.endif
+
+CONFS= ssh_config sshd_config moduli
+
+PLIST_VARS+= darwin
+
+EGDIR= ${PREFIX}/share/examples/${PKGBASE}
+
+# enable privsep patches
+.if ${OPSYS} == "Darwin"
+CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
+CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__
+PLIST.darwin= yes
+.endif
+
+.for f in ${CONFS}
+CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
+.endfor
+OWN_DIRS= ${OPENSSH_CHROOT}
+RCD_SCRIPTS= sshd
+RCD_SCRIPT_SRC.sshd= ${WRKDIR}/sshd.sh
+SMF_METHODS= sshd
+
+FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR}
+
+SUBST_CLASSES+= patch
+SUBST_STAGE.patch= pre-configure
+SUBST_FILES.patch= session.c sandbox-darwin.c
+SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
+SUBST_VARS.patch= PKG_SYSCONFDIR
+
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../security/tcp_wrappers/buildlink3.mk"
+
+#
+# type of key "ecdsa" isn't always supported depends on OpenSSL.
+#
+pre-configure:
+ cd ${WRKSRC} && autoconf -i
+
+post-configure:
+ if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \
+ ${WRKSRC}/config.h; then \
+ ${SED} -e '/HAVE_ECDSA/s/.*//' \
+ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+ else \
+ ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
+ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+ fi
+ ${SED} -e 's,@VARBASE@,${VARBASE},g' \
+ < ${FILESDIR}/org.openssh.sshd.sb.in \
+ > ${WRKDIR}/org.openssh.sshd.sb
+
+post-install:
+ ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
+ cd ${WRKSRC}; for file in ${CONFS}; do \
+ ${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
+ done
+.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
+ ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
+ ${DESTDIR}${EGDIR}/sshd.pam
+.endif
+.if ${OPSYS} == "Darwin"
+ ${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
+ ${DESTDIR}${EGDIR}/org.openssh.sshd.sb
+.endif
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/openssh8/PLIST b/openssh8/PLIST
new file mode 100644
index 0000000000..1c18b8b3e9
--- /dev/null
+++ b/openssh8/PLIST
@@ -0,0 +1,31 @@
+@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
+bin/scp
+bin/sftp
+bin/ssh
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-keygen
+bin/ssh-keyscan
+libexec/sftp-server
+libexec/ssh-keysign
+libexec/ssh-pkcs11-helper
+man/man1/scp.1
+man/man1/sftp.1
+man/man1/ssh-add.1
+man/man1/ssh-agent.1
+man/man1/ssh-keygen.1
+man/man1/ssh-keyscan.1
+man/man1/ssh.1
+man/man5/moduli.5
+man/man5/ssh_config.5
+man/man5/sshd_config.5
+man/man8/sftp-server.8
+man/man8/ssh-keysign.8
+man/man8/ssh-pkcs11-helper.8
+man/man8/sshd.8
+sbin/sshd
+share/examples/openssh/moduli
+${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
+share/examples/openssh/ssh_config
+${PLIST.pam}share/examples/openssh/sshd.pam
+share/examples/openssh/sshd_config
diff --git a/openssh8/distinfo b/openssh8/distinfo
new file mode 100644
index 0000000000..58f19de962
--- /dev/null
+++ b/openssh8/distinfo
@@ -0,0 +1,29 @@
+$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
+
+SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
+RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
+SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
+Size (openssh-8.0p1.tar.gz) = 1597697 bytes
+SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
+SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
+SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
+SHA1 (patch-auth.c) = ec68a8a66b9838ba136f8181b93eb38f5b3d3249
+SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
+SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
+SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
+SHA1 (patch-configure.ac) = 4500549c9b85eb5502101f1043ccb85154df04b7
+SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
+SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
+SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
+SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
+SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
+SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
+SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
+SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
+SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
+SHA1 (patch-sftp-common.c) = bd3c726c056116da7673fb4649e5e7afa9db9ec3
+SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
+SHA1 (patch-sshd.c) = 4dfe5ff525617d5d3743672f14811213eb5b6635
+SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
+SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4
diff --git a/openssh8/files/org.openssh.sshd.sb.in b/openssh8/files/org.openssh.sshd.sb.in
new file mode 100644
index 0000000000..e060377c92
--- /dev/null
+++ b/openssh8/files/org.openssh.sshd.sb.in
@@ -0,0 +1,23 @@
+;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
+;;
+;; Copyright (c) 2008 Apple Inc. All Rights reserved.
+;;
+;; sshd - profile for privilege separated children
+;;
+;; WARNING: The sandbox rules in this file currently constitute
+;; Apple System Private Interface and are subject to change at any time and
+;; without notice.
+;;
+
+(version 1)
+
+(deny default)
+
+(allow file-chroot)
+(allow file-read-metadata (literal "@VARBASE@"))
+
+(allow sysctl-read)
+(allow mach-per-user-lookup)
+(allow mach-lookup
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.system.logger"))
diff --git a/openssh8/files/smf/manifest.xml b/openssh8/files/smf/manifest.xml
new file mode 100644
index 0000000000..71e9800b9b
--- /dev/null
+++ b/openssh8/files/smf/manifest.xml
@@ -0,0 +1,46 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+ <service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
+ <create_default_instance enabled='false'/>
+ <single_instance/>
+ <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/filesystem/local'/>
+ </dependency>
+ <dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/network/loopback'/>
+ </dependency>
+ <dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/network/physical'/>
+ </dependency>
+ <dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/cryptosvc'/>
+ </dependency>
+ <dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/utmp'/>
+ </dependency>
+ <dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
+ <service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
+ </dependency>
+ <dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
+ <service_fmri value='svc:/milestone/multi-user-server'/>
+ </dependent>
+ <exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
+ <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+ <exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
+ <property_group name='general' type='framework'>
+ <property name='action_authorization' type='astring'/>
+ </property_group>
+ <property_group name='startd' type='framework'>
+ <propval name='ignore_error' type='astring' value='core,signal'/>
+ </property_group>
+ <template>
+ <common_name>
+ <loctext xml:lang='C'>OpenSSH server</loctext>
+ </common_name>
+ <documentation>
+ <manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
+ </documentation>
+ </template>
+ </service>
+</service_bundle>
diff --git a/openssh8/files/smf/sshd.sh b/openssh8/files/smf/sshd.sh
new file mode 100644
index 0000000000..0ab48193b1
--- /dev/null
+++ b/openssh8/files/smf/sshd.sh
@@ -0,0 +1,68 @@
+#!@SMF_METHOD_SHELL@
+#
+# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+# Use is subject to license terms.
+#
+# ident "@(#)sshd 1.4 04/11/17 SMI"
+
+SSHDIR=@PKG_SYSCONFDIR@
+KEYGEN="@PREFIX@/bin/ssh-keygen -q"
+PIDFILE=@VARBASE@/run/sshd.pid
+
+# Checks to see if RSA, and DSA host keys are available
+# if any of these keys are not present, the respective keys are created.
+create_key()
+{
+ keypath=$1
+ keytype=$2
+
+ if [ ! -f $keypath ]; then
+ grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo Creating new $keytype public/private host key pair
+ $KEYGEN -f $keypath -t $keytype -N ''
+ return $?
+ fi
+ fi
+
+ return 0
+}
+
+# This script is being used for two purposes: as part of an SMF
+# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
+# application.
+#
+# Both, the SMF methods and sysidconfig/sys-unconfig use different
+# arguments..
+
+case $1 in
+ # sysidconfig/sys-unconfig arguments (-c and -u)
+'-c')
+ create_key $SSHDIR/ssh_host_rsa_key rsa
+ create_key $SSHDIR/ssh_host_dsa_key dsa
+ ;;
+
+'-u')
+ # sys-unconfig(1M) knows how to remove ssh host keys, so there's
+ # nothing to do here.
+ :
+ ;;
+
+ # SMF arguments (start and restart [really "refresh"])
+'start')
+ @PREFIX@/sbin/sshd
+ ;;
+
+'restart')
+ if [ -f "$PIDFILE" ]; then
+ /usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
+ fi
+ ;;
+
+*)
+ echo "Usage: $0 { start | restart }"
+ exit 1
+ ;;
+esac
+
+exit $?
diff --git a/openssh8/files/sshd.sh b/openssh8/files/sshd.sh
new file mode 100644
index 0000000000..8493e047e4
--- /dev/null
+++ b/openssh8/files/sshd.sh
@@ -0,0 +1,115 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
+#
+# PROVIDE: sshd
+# REQUIRE: DAEMON LOGIN
+
+if [ -f /etc/rc.subr ]
+then
+ . /etc/rc.subr
+fi
+
+name="sshd"
+rcvar=$name
+command="@PREFIX@/sbin/${name}"
+keygen_command="@PREFIX@/bin/ssh-keygen"
+pidfile="@SSH_PID_DIR@/${name}.pid"
+required_files="@PKG_SYSCONFDIR@/sshd_config"
+extra_commands="keygen reload"
+
+sshd_keygen()
+{
+ (
+ umask 022
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
+ @ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
+ @ECHO@ "Skipping protocol version 2 DSA Key Generation"
+ else
+ ${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
+ fi
+
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
+ @ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
+ @ECHO@ "Skipping protocol version 2 RSA Key Generation"
+ else
+ ${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
+ fi
+# HAVE_ECDSA_START
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
+ @ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
+ @ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
+ else
+ ${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
+ fi
+# HAVE_ECDSA_STOP
+# HAVE_ED25519_START
+ if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+ @ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
+ @ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
+ else
+ ${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
+ fi
+# HAVE_ED25519_STOP
+ )
+}
+
+sshd_precmd()
+{
+ if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
+ ! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+ if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+ then
+ run_rc_command keygen
+ else
+ eval ${keygen_cmd}
+ fi
+ fi
+}
+
+keygen_cmd=sshd_keygen
+start_precmd=sshd_precmd
+
+if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+then
+ load_rc_config $name
+ run_rc_command "$1"
+else
+ case ${1:-start} in
+ start)
+ if [ -x ${command} -a -f ${required_files} ]
+ then
+ @ECHO@ "Starting ${name}."
+ eval ${start_precmd}
+ eval ${command} ${sshd_flags} ${command_args}
+ fi
+ ;;
+ stop)
+ if [ -f ${pidfile} ]; then
+ pid=`@HEAD@ -1 ${pidfile}`
+ @ECHO@ "Stopping ${name}."
+ kill -TERM ${pid}
+ else
+ @ECHO@ "${name} not running?"
+ fi
+ ;;
+ restart)
+ ( $0 stop )
+ sleep 1
+ $0 start
+ ;;
+ status)
+ if [ -f ${pidfile} ]; then
+ pid=`@HEAD@ -1 ${pidfile}`
+ @ECHO@ "${name} is running as pid ${pid}."
+ else
+ @ECHO@ "${name} is not running."
+ fi
+ ;;
+ keygen)
+ eval ${keygen_cmd}
+ ;;
+ esac
+fi
diff --git a/openssh8/options.mk b/openssh8/options.mk
new file mode 100644
index 0000000000..6e941d6b5b
--- /dev/null
+++ b/openssh8/options.mk
@@ -0,0 +1,51 @@
+# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
+
+PKG_OPTIONS_VAR= PKG_OPTIONS.openssh
+PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam
+PKG_SUGGESTED_OPTIONS= editline openssl
+
+.include "../../mk/bsd.prefs.mk"
+
+.if ${OPSYS} == "NetBSD"
+PKG_SUGGESTED_OPTIONS+= pam
+.endif
+
+.include "../../mk/bsd.options.mk"
+
+.if !empty(PKG_OPTIONS:Mopenssl)
+.include "../../security/openssl/buildlink3.mk"
+CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
+.else
+CONFIGURE_ARGS+= --without-openssl
+.endif
+
+.if !empty(PKG_OPTIONS:Mkerberos)
+. include "../../mk/krb5.buildlink3.mk"
+CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE}
+. if ${KRB5_TYPE} == "mit-krb5"
+CONFIGURE_ENV+= ac_cv_search_k_hasafs=no
+. endif
+.endif
+
+#.if !empty(PKG_OPTIONS:Mhpn-patch)
+#PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
+#PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
+#PATCH_DIST_STRIP= -p1
+#.endif
+
+PLIST_VARS+= pam
+
+.if !empty(PKG_OPTIONS:Mpam)
+.include "../../mk/pam.buildlink3.mk"
+CONFIGURE_ARGS+= --with-pam
+MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam
+MESSAGE_SUBST+= EGDIR=${EGDIR}
+. if ${OPSYS} == "Linux"
+PLIST.pam= yes
+. endif
+.endif
+
+.if !empty(PKG_OPTIONS:Meditline)
+.include "../../devel/editline/buildlink3.mk"
+CONFIGURE_ARGS+= --with-libedit=${BUILDLINK_PREFIX.editline}
+.endif
diff --git a/openssh8/patches/patch-Makefile.in b/openssh8/patches/patch-Makefile.in
new file mode 100644
index 0000000000..969eab46e7
--- /dev/null
+++ b/openssh8/patches/patch-Makefile.in
@@ -0,0 +1,31 @@
+$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+Removed install-sysconf as we handle that phase through post-install
+
+--- Makefile.in.orig 2018-10-17 00:01:20.000000000 +0000
++++ Makefile.in
+@@ -1,5 +1,5 @@
+ # uncomment if you run a non bourne compatible shell. Ie. csh
+-#SHELL = @SH@
++SHELL = @SH@
+
+ AUTORECONF=autoreconf
+
+@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
+ DESTDIR=
+ VPATH=@srcdir@
+ SSH_PROGRAM=@bindir@/ssh
+-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
++#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+@@ -320,7 +320,7 @@ distprep: catman-do depend-check
+ -rm -rf autom4te.cache .depend.bak
+
+ install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
++install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+
+ check-config:
diff --git a/openssh8/patches/patch-auth-passwd.c b/openssh8/patches/patch-auth-passwd.c
new file mode 100644
index 0000000000..68ed2fc1ec
--- /dev/null
+++ b/openssh8/patches/patch-auth-passwd.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ auth-passwd.c
+@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
+ return 0;
+
+ #ifndef HAVE_CYGWIN
+- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
++ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
+ ok = 0;
+ #endif
+ if (*password == '\0' && options.permit_empty_passwd == 0)
+@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
+ authctxt->force_pwchange = 1;
+ }
+ #endif
++#ifdef HAVE_INTERIX
++ result = (!setuser(pw->pw_name, password, SU_CHECK));
++#else
+ result = sys_auth_passwd(ssh, password);
++#endif
+ if (authctxt->force_pwchange)
+ auth_restrict_session(ssh);
+ return (result && ok);
diff --git a/openssh8/patches/patch-auth-rhosts.c b/openssh8/patches/patch-auth-rhosts.c
new file mode 100644
index 0000000000..fef060635c
--- /dev/null
+++ b/openssh8/patches/patch-auth-rhosts.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-rhosts.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ auth-rhosts.c
+@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ * If not logging in as superuser, try /etc/hosts.equiv and
+ * shosts.equiv.
+ */
+- if (pw->pw_uid == 0)
++ if (pw->pw_uid == ROOTUID)
+ debug3("%s: root user, ignoring system hosts files", __func__);
+ else {
+ if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
+@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ return 0;
+ }
+ if (options.strict_modes &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Rhosts authentication refused for %.100s: "
+ "bad ownership or modes for home directory.", pw->pw_name);
+@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ * allowing access to their account by anyone.
+ */
+ if (options.strict_modes &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
+ pw->pw_name, buf);
diff --git a/openssh8/patches/patch-auth.c b/openssh8/patches/patch-auth.c
new file mode 100644
index 0000000000..719484c161
--- /dev/null
+++ b/openssh8/patches/patch-auth.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+* Replace uid 0 with ROOTUID macro.
+* Use login_getpwclass() instead of login_getclass() so that the root
+ vs. default login class distinction is made correctly, from FrrrBSD's
+ ports.
+
+--- auth.c.orig 2019-05-01 11:28:52.028281617 +0000
++++ auth.c
+@@ -472,7 +472,7 @@ check_key_in_hostfiles(struct passwd *pw
+ user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
+ if (options.strict_modes &&
+ (stat(user_hostfile, &st) == 0) &&
+- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ (st.st_mode & 022) != 0)) {
+ logit("Authentication refused for %.100s: "
+ "bad owner or modes for %.200s",
+@@ -599,7 +599,7 @@ getpwnamallow(struct ssh *ssh, const cha
+ if (!allowed_user(ssh, pw))
+ return (NULL);
+ #ifdef HAVE_LOGIN_CAP
+- if ((lc = login_getclass(pw->pw_class)) == NULL) {
++ if ((lc = login_getpwclass(pw->pw_class)) == NULL) {
+ debug("unable to get login class: %s", user);
+ return (NULL);
+ }
diff --git a/openssh8/patches/patch-auth2.c b/openssh8/patches/patch-auth2.c
new file mode 100644
index 0000000000..2182d4afc7
--- /dev/null
+++ b/openssh8/patches/patch-auth2.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth2.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ auth2.c
+@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
+ fatal("INTERNAL ERROR: authenticated and postponed");
+
+ /* Special handling for root */
+- if (authenticated && authctxt->pw->pw_uid == 0 &&
++ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
+ !auth_root_allowed(ssh, method)) {
+ authenticated = 0;
+ #ifdef SSH_AUDIT_EVENTS
diff --git a/openssh8/patches/patch-clientloop.c b/openssh8/patches/patch-clientloop.c
new file mode 100644
index 0000000000..1089e0330c
--- /dev/null
+++ b/openssh8/patches/patch-clientloop.c
@@ -0,0 +1,63 @@
+$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
+
+Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
+
+https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
+
+--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000
++++ clientloop.c
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
+ struct stat st;
+ u_int now, x11_timeout_real;
+
++#if __APPLE__
++ int is_path_to_socket = 0;
++#endif /* __APPLE__ */
++
+ *_proto = proto;
+ *_data = data;
+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
+@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
+ }
+
+ if (xauth_path != NULL) {
++#if __APPLE__
++ {
++ /*
++ * If using launchd socket, remove the screen number from the end
++ * of $DISPLAY. is_path_to_socket is used later in this function
++ * to determine if an error should be displayed.
++ */
++ char path[PATH_MAX];
++ struct stat sbuf;
++
++ strlcpy(path, display, sizeof(path));
++ if (0 == stat(path, &sbuf)) {
++ is_path_to_socket = 1;
++ } else {
++ char *dot = strrchr(path, '.');
++ if (dot) {
++ *dot = '\0';
++ /* screen = atoi(dot + 1); */
++ if (0 == stat(path, &sbuf)) {
++ is_path_to_socket = 1;
++ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
++ setenv("DISPLAY", path, 1);
++ }
++ }
++ }
++ }
++#endif /* __APPLE__ */
+ /*
+ * Handle FamilyLocal case where $DISPLAY does
+ * not match an authorization entry. For this we
+@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
+ u_int8_t rnd[16];
+ u_int i;
+
++#if __APPLE__
++ if (!is_path_to_socket)
++#endif /* __APPLE__ */
+ logit("Warning: No xauth data; "
+ "using fake authentication data for X11 forwarding.");
+ strlcpy(proto, SSH_X11_PROTO, sizeof proto);
diff --git a/openssh8/patches/patch-config.h.in b/openssh8/patches/patch-config.h.in
new file mode 100644
index 0000000000..c1bb668067
--- /dev/null
+++ b/openssh8/patches/patch-config.h.in
@@ -0,0 +1,37 @@
+$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+* Added Interix and define new path to if_tun.h.
+* Revive tcp_wrappers support.
+
+--- config.h.in.orig 2018-10-19 01:06:33.000000000 +0000
++++ config.h.in
+@@ -741,6 +741,9 @@
+ /* define if you have int64_t data type */
+ #undef HAVE_INT64_T
+
++/* Define if you are on Interix */
++#undef HAVE_INTERIX
++
+ /* Define to 1 if the system has the type `intmax_t'. */
+ #undef HAVE_INTMAX_T
+
+@@ -910,6 +913,9 @@
+ /* Define to 1 if you have the <net/route.h> header file. */
+ #undef HAVE_NET_ROUTE_H
+
++/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
++#undef HAVE_NET_TUN_IF_TUN_H
++
+ /* Define if you are on NeXT */
+ #undef HAVE_NEXT
+
+@@ -1617,6 +1623,9 @@
+ /* Define if pututxline updates lastlog too */
+ #undef LASTLOG_WRITE_PUTUTXLINE
+
++/* Define if you want TCP Wrappers support */
++#undef LIBWRAP
++
+ /* Define to whatever link() returns for "not supported" if it doesn't return
+ EOPNOTSUPP. */
+ #undef LINK_OPNOTSUPP_ERRNO
diff --git a/openssh8/patches/patch-configure.ac b/openssh8/patches/patch-configure.ac
new file mode 100644
index 0000000000..ec50365d8e
--- /dev/null
+++ b/openssh8/patches/patch-configure.ac
@@ -0,0 +1,138 @@
+$NetBSD$
+
+--- configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
++++ configure.ac
+@@ -294,6 +294,9 @@ AC_ARG_WITH([rpath],
+ ]
+ )
+
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ AC_ARG_WITH([cflags],
+ [ --with-cflags Specify additional flags to pass to compiler],
+@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
+ maillock.h \
+ ndir.h \
+ net/if_tun.h \
++ net/tun/if_tun.h \
+ netdb.h \
+ netgroup.h \
+ pam/pam_appl.h \
+@@ -737,6 +741,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+ ;;
+ esac
+ ;;
++*-*-interix*)
++ AC_DEFINE(HAVE_INTERIX)
++ AC_DEFINE(DISABLE_FD_PASSING)
++ AC_DEFINE(DISABLE_SHADOW)
++ AC_DEFINE(IP_TOS_IS_BROKEN)
++ AC_DEFINE(MISSING_HOWMANY)
++ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
++ AC_DEFINE(USE_PIPES)
++ ;;
+ *-*-irix5*)
+ PATH="$PATH:/usr/etc"
+ AC_DEFINE([BROKEN_INET_NTOA], [1],
+@@ -1494,6 +1507,62 @@ else
+ AC_MSG_RESULT([no])
+ fi
+
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++ saved_LIBS="$LIBS"
++ saved_LDFLAGS="$LDFLAGS"
++ saved_CPPFLAGS="$CPPFLAGS"
++ if test -n "${withval}" && \
++ test "x${withval}" != "xyes"; then
++ if test -d "${withval}/lib"; then
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ else
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval} ${LDFLAGS}"
++ fi
++ fi
++ if test -d "${withval}/include"; then
++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++ else
++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
++ fi
++ fi
++ LIBS="-lwrap $LIBS"
++ AC_MSG_CHECKING([for libwrap])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++ ]], [[
++ hosts_access(0);
++ ]])], [
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([LIBWRAP], [1],
++ [Define if you want
++ TCP Wrappers support])
++ SSHDLIBS="$SSHDLIBS -lwrap"
++ TCPW_MSG="yes"
++ ], [
++ AC_MSG_ERROR([*** libwrap missing])
++
++ ])
++ LIBS="$saved_LIBS"
++ fi
++ ]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5129,9 +5198,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ ])
+ if test -z "$conf_wtmpx_location"; then
+ if test x"$system_wtmpx_path" = x"no" ; then
+- AC_DEFINE([DISABLE_WTMPX])
++ for f in /var/log/wtmpx; do
++ if test -f $f ; then
++ conf_wtmpx_location=$f
++ fi
++ done
++ if test -z "$conf_wtmpx_location"; then
++ AC_DEFINE(DISABLE_WTMPX)
++ fi
+ fi
+-else
++fi
++if test -n "$conf_wtmpx_location"; then
+ AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
+ [Define if you want to specify the path to your wtmpx file])
+ fi
+@@ -5223,7 +5300,7 @@ echo "OpenSSH has been configured with t
+ echo " User binaries: $B"
+ echo " System binaries: $C"
+ echo " Configuration files: $D"
+-echo " Askpass program: $E"
++echo " Askpass program: ${ASKPASS_PROGRAM}"
+ echo " Manual pages: $F"
+ echo " PID file: $G"
+ echo " Privilege separation chroot path: $H"
+@@ -5245,6 +5322,7 @@ echo " PAM support
+ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
++echo " TCP Wrappers support: $TCPW_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " libldns support: $LDNS_MSG"
diff --git a/openssh8/patches/patch-defines.h b/openssh8/patches/patch-defines.h
new file mode 100644
index 0000000000..63788b31ba
--- /dev/null
+++ b/openssh8/patches/patch-defines.h
@@ -0,0 +1,47 @@
+$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Define ROOTUID, UTMPX_FILE and WTMPX_FILE
+
+--- defines.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ defines.h
+@@ -30,6 +30,15 @@
+
+ /* Constants */
+
++#ifdef HAVE_INTERIX
++/* Interix has a special concept of "administrator". */
++# define ROOTUID 197108
++# define ROOTGID 131616
++#else
++# define ROOTUID 0
++# define ROOTGID 0
++#endif
++
+ #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
+ enum
+ {
+@@ -721,6 +730,24 @@ struct winsize {
+ # endif
+ # endif
+ #endif
++#ifndef UTMPX_FILE
++# ifdef _PATH_UTMPX
++# define UTMPX_FILE _PATH_UTMPX
++# else
++# ifdef CONF_UTMPX_FILE
++# define UTMPX_FILE CONF_UTMPX_FILE
++# endif
++# endif
++#endif
++#ifndef WTMPX_FILE
++# ifdef _PATH_WTMPX
++# define WTMPX_FILE _PATH_WTMPX
++# else
++# ifdef CONF_WTMPX_FILE
++# define WTMPX_FILE CONF_WTMPX_FILE
++# endif
++# endif
++#endif
+ /* pick up the user's location for lastlog if given */
+ #ifndef LASTLOG_FILE
+ # ifdef _PATH_LASTLOG
diff --git a/openssh8/patches/patch-includes.h b/openssh8/patches/patch-includes.h
new file mode 100644
index 0000000000..5e54a9dcd8
--- /dev/null
+++ b/openssh8/patches/patch-includes.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- includes.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ includes.h
+@@ -127,6 +127,10 @@
+ #ifdef HAVE_READPASSPHRASE_H
+ # include <readpassphrase.h>
+ #endif
++#ifdef HAVE_INTERIX
++# include <interix/env.h>
++# include <interix/security.h>
++#endif
+
+ #ifdef HAVE_IA_H
+ # include <ia.h>
diff --git a/openssh8/patches/patch-loginrec.c b/openssh8/patches/patch-loginrec.c
new file mode 100644
index 0000000000..fa56d5a158
--- /dev/null
+++ b/openssh8/patches/patch-loginrec.c
@@ -0,0 +1,68 @@
+$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support and related fixes. Fix build on FreeBSD.
+
+--- loginrec.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ loginrec.c
+@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
+ int
+ login_write(struct logininfo *li)
+ {
+-#ifndef HAVE_CYGWIN
+- if (geteuid() != 0) {
++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
++ if (geteuid() != ROOTUID) {
+ logit("Attempt to write login records by non-root user (aborting)");
+ return (1);
+ }
+@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
+
+ /* set the timestamp */
+ login_set_current_time(li);
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && (HAVE_UTMP_H)
+ syslogin_write_entry(li);
+ #endif
+ #ifdef USE_LASTLOG
+@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
+ ** into account.
+ **/
+
+-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
++#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
+
+ /* build the utmp structure */
+ void
+@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
+ set_utmpx_time(li, utx);
+ utx->ut_pid = li->pid;
+
+- /* strncpy(): Don't necessarily want null termination */
+- strncpy(utx->ut_user, li->username,
+- MIN_SIZEOF(utx->ut_user, li->username));
+-
+ if (li->type == LTYPE_LOGOUT)
+ return;
+
+@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
+ * for logouts.
+ */
+
++ /* strncpy(): Don't necessarily want null termination */
++#if defined(__FreeBSD__)
++ strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
++#else
++ strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
++#endif
+ # ifdef HAVE_HOST_IN_UTMPX
+ strncpy(utx->ut_host, li->hostname,
+ MIN_SIZEOF(utx->ut_host, li->hostname));
+@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
+ ** Low-level libutil login() functions
+ **/
+
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
+ static int
+ syslogin_perform_login(struct logininfo *li)
+ {
diff --git a/openssh8/patches/patch-openbsd-compat_bsd-openpty.c b/openssh8/patches/patch-openbsd-compat_bsd-openpty.c
new file mode 100644
index 0000000000..adbacbee3a
--- /dev/null
+++ b/openssh8/patches/patch-openbsd-compat_bsd-openpty.c
@@ -0,0 +1,22 @@
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
+
+Interix support
+
+--- openbsd-compat/bsd-openpty.c.orig 2016-12-19 04:59:41.000000000 +0000
++++ openbsd-compat/bsd-openpty.c
+@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char
+ return (-1);
+ }
+
++#if !defined(HAVE_INTERIX)
+ /*
+ * Try to push the appropriate streams modules, as described
+ * in Solaris pts(7).
+@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char
+ # ifndef __hpux
+ ioctl(*aslave, I_PUSH, "ttcompat");
+ # endif /* __hpux */
++#endif /* !HAVE_INTERIX */
+
+ return (0);
+
diff --git a/openssh8/patches/patch-openbsd-compat_openbsd-compat.h b/openssh8/patches/patch-openbsd-compat_openbsd-compat.h
new file mode 100644
index 0000000000..771757f15f
--- /dev/null
+++ b/openssh8/patches/patch-openbsd-compat_openbsd-compat.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+strtoll() declaration
+
+--- openbsd-compat/openbsd-compat.h.orig 2015-08-21 04:49:03.000000000 +0000
++++ openbsd-compat/openbsd-compat.h
+@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
+ int setenv(register const char *name, register const char *value, int rewrite);
+ #endif
+
++#ifndef HAVE_STRTOLL
++long long strtoll(const char *, char **, int);
++#endif
++
+ #ifndef HAVE_STRMODE
+ void strmode(int mode, char *p);
+ #endif
diff --git a/openssh8/patches/patch-openbsd-compat_port-tun.c b/openssh8/patches/patch-openbsd-compat_port-tun.c
new file mode 100644
index 0000000000..e538617426
--- /dev/null
+++ b/openssh8/patches/patch-openbsd-compat_port-tun.c
@@ -0,0 +1,45 @@
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
+
+if_tun.h can be found in net/tun
+
+--- openbsd-compat/port-net.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ openbsd-compat/port-net.c
+@@ -1,3 +1,4 @@
++
+ /*
+ * Copyright (c) 2005 Reyk Floeter <reyk%openbsd.org@localhost>
+ *
+@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i
+ #include <sys/socket.h>
+ #include <net/if.h>
+
++#ifdef HAVE_NET_TUN_IF_TUN_H
++#include <net/tun/if_tun.h>
++#endif
++
+ #ifdef HAVE_NET_IF_TUN_H
+ #include <net/if_tun.h>
+ #endif
+@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i
+ {
+ struct ifreq ifr;
+ char name[100];
+- int fd = -1, sock, flag;
++ int fd = -1, sock;
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
++ int flag;
++#endif
+ const char *tunbase = "tun";
+
+ if (ifname != NULL)
+@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i
+ return (-1);
+ }
+
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ /* Turn on tunnel headers */
+ flag = 1;
+-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ if (mode != SSH_TUNMODE_ETHERNET &&
+ ioctl(fd, TUNSIFHEAD, &flag) == -1) {
+ debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
diff --git a/openssh8/patches/patch-platform.c b/openssh8/patches/patch-platform.c
new file mode 100644
index 0000000000..fe837c1b5a
--- /dev/null
+++ b/openssh8/patches/patch-platform.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- platform.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ platform.c
+@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
+ /* uid 0 is not special on Cygwin so always try */
+ return 1;
+ #else
++#if !defined(HAVE_INTERIX)
+ return (getuid() == 0 || geteuid() == 0);
++#endif /* !HAVE_INTERIX */
+ #endif
+ }
+
diff --git a/openssh8/patches/patch-sandbox-darwin.c b/openssh8/patches/patch-sandbox-darwin.c
new file mode 100644
index 0000000000..b6624a068e
--- /dev/null
+++ b/openssh8/patches/patch-sandbox-darwin.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+Support sandbox on newer OSX, from MacPorts.
+
+--- sandbox-darwin.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ sandbox-darwin.c
+@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+ struct rlimit rl_zero;
+
+ debug3("%s: starting Darwin sandbox", __func__);
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++#ifndef SANDBOX_NAMED_EXTERNAL
++#define SANDBOX_NAMED_EXTERNAL (0x3)
++#endif
++ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
++ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
++#else
+ if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
+ &errmsg) == -1)
++#endif
+ fatal("%s: sandbox_init: %s", __func__, errmsg);
+
+ /*
diff --git a/openssh8/patches/patch-scp.c b/openssh8/patches/patch-scp.c
new file mode 100644
index 0000000000..415ddfbc2b
--- /dev/null
+++ b/openssh8/patches/patch-scp.c
@@ -0,0 +1,39 @@
+$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- scp.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ scp.c
+@@ -478,7 +478,11 @@ main(int argc, char **argv)
+ argc -= optind;
+ argv += optind;
+
++#ifdef HAVE_INTERIX
++ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
++#else
+ if ((pwd = getpwuid(userid = getuid())) == NULL)
++#endif
+ fatal("unknown user %u", (u_int) userid);
+
+ if (!isatty(STDOUT_FILENO))
+@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
+ return;
+ }
+ while ((dp = readdir(dirp)) != NULL) {
++#ifndef HAVE_INTERIX
+ if (dp->d_ino == 0)
+ continue;
++#endif
+ if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+ continue;
+ if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
+@@ -1297,7 +1303,9 @@ okname(char *cp0)
+ case '\'':
+ case '"':
+ case '`':
++#ifndef HAVE_INTERIX
+ case ' ':
++#endif
+ case '#':
+ goto bad;
+ default:
diff --git a/openssh8/patches/patch-session.c b/openssh8/patches/patch-session.c
new file mode 100644
index 0000000000..d0b9df8d7d
--- /dev/null
+++ b/openssh8/patches/patch-session.c
@@ -0,0 +1,65 @@
+$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $
+
+* Interix support.
+
+--- session.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ session.c
+@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in
+ if (tmpenv == NULL)
+ return;
+
+- if (uid == 0)
++ if (uid == ROOTUID)
+ var = child_get_env(tmpenv, "SUPATH");
+ else
+ var = child_get_env(tmpenv, "PATH");
+@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s
+ # endif /* HAVE_ETC_DEFAULT_LOGIN */
+ if (path == NULL || *path == '\0') {
+ child_set_env(&env, &envsize, "PATH",
+- s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
++ s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH);
+ }
+ # endif /* HAVE_CYGWIN */
+ #endif /* HAVE_LOGIN_CAP */
+@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s
+ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
+ original_command);
+
++#ifdef HAVE_INTERIX
++ {
++ /* copy standard Windows environment, then apply changes */
++ env_t *winenv = env_login(pw);
++ env_putarray(winenv, env, ENV_OVERRIDE);
++
++ /* swap over to altered environment as a traditional array */
++ env = env_array(winenv);
++ }
++#endif
++
+ if (debug_flag) {
+ /* dump the environment */
+ fprintf(stderr, "Environment:\n");
+@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw)
+ perror("setgid");
+ exit(1);
+ }
++# if !defined(HAVE_INTERIX)
+ /* Initialize the group list. */
+ if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
+ perror("initgroups");
+ exit(1);
+ }
++# endif /* !HAVE_INTERIX */
+ endgrent();
+ #endif
+
+@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s)
+ record_logout(s->pid, s->tty, s->pw->pw_name);
+
+ /* Release the pseudo-tty. */
+- if (getuid() == 0)
++ if (getuid() == ROOTUID)
+ pty_release(s->tty);
+
+ /*
diff --git a/openssh8/patches/patch-sftp-common.c b/openssh8/patches/patch-sftp-common.c
new file mode 100644
index 0000000000..b17738bd7f
--- /dev/null
+++ b/openssh8/patches/patch-sftp-common.c
@@ -0,0 +1,14 @@
+$NetBSD$
+
+--- sftp-common.c.orig 2019-04-17 22:52:57.000000000 +0000
++++ sftp-common.c
+@@ -36,7 +36,9 @@
+ #include <string.h>
+ #include <time.h>
+ #include <stdarg.h>
++#ifdef HAVE_UNISTD_H
+ #include <unistd.h>
++#endif
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
diff --git a/openssh8/patches/patch-sshd.8 b/openssh8/patches/patch-sshd.8
new file mode 100644
index 0000000000..085accf98c
--- /dev/null
+++ b/openssh8/patches/patch-sshd.8
@@ -0,0 +1,27 @@
+$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+* Revive tcp_wrappers support.
+
+--- sshd.8.orig 2015-08-21 04:49:03.000000000 +0000
++++ sshd.8
+@@ -850,6 +850,12 @@ the user's home directory becomes access
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -953,6 +959,7 @@ The content of this file is not sensitiv
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/openssh8/patches/patch-sshd.c b/openssh8/patches/patch-sshd.c
new file mode 100644
index 0000000000..ccab150f1b
--- /dev/null
+++ b/openssh8/patches/patch-sshd.c
@@ -0,0 +1,137 @@
+$NetBSD$
+
+--- sshd.c.orig 2019-04-17 22:52:57.000000000 +0000
++++ sshd.c
+@@ -123,6 +123,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
+@@ -235,7 +242,11 @@ static int *startup_flags = NULL; /* Ind
+ static int startup_pipe = -1; /* in child */
+
+ /* variables used for privilege separation */
++#ifdef HAVE_INTERIX
++int use_privsep = 0;
++#else
+ int use_privsep = -1;
++#endif
+ struct monitor *pmonitor = NULL;
+ int privsep_is_preauth = 1;
+ static int privsep_chroot = 1;
+@@ -467,10 +478,15 @@ privsep_preauth_child(void)
+ /* Drop our privileges */
+ debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+ (u_int)privsep_pw->pw_gid);
++#ifdef HAVE_INTERIX
++ if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
++ fatal("setuser: %.100s", strerror(errno));
++#else
+ gidset[0] = privsep_pw->pw_gid;
+ if (setgroups(1, gidset) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
+ permanently_set_uid(privsep_pw);
++#endif /* HAVE_INTERIX */
+ }
+ }
+
+@@ -534,10 +550,17 @@ privsep_preauth(struct ssh *ssh)
+ /* Arrange for logging to be sent to the monitor */
+ set_log_handler(mm_log_handler, pmonitor);
+
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++ /* We need to do this before we chroot() so we can read sshd.sb */
++ if (box != NULL)
++ ssh_sandbox_child(box);
++#endif
+ privsep_preauth_child();
+ setproctitle("%s", "[net]");
++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ if (box != NULL)
+ ssh_sandbox_child(box);
++#endif
+
+ return 0;
+ }
+@@ -549,7 +572,7 @@ privsep_postauth(struct ssh *ssh, Authct
+ #ifdef DISABLE_FD_PASSING
+ if (1) {
+ #else
+- if (authctxt->pw->pw_uid == 0) {
++ if (authctxt->pw->pw_uid == ROOTUID) {
+ #endif
+ /* File descriptor passing is broken or root login */
+ use_privsep = 0;
+@@ -1454,7 +1477,7 @@ main(int ac, char **av)
+ av = saved_argv;
+ #endif
+
+- if (geteuid() == 0 && setgroups(0, NULL) == -1)
++ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
+ debug("setgroups(): %.200s", strerror(errno));
+
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+@@ -1686,7 +1709,7 @@ main(int ac, char **av)
+ );
+
+ /* Store privilege separation user for later use if required. */
+- privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
++ privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
+ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+ if (privsep_chroot || options.kerberos_authentication)
+ fatal("Privilege separation user %s does not exist",
+@@ -1830,7 +1853,7 @@ main(int ac, char **av)
+ (st.st_uid != getuid () ||
+ (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+ #else
+- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
++ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+ #endif
+ fatal("%s must be owned by root and not group or "
+ "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
+@@ -1858,8 +1881,10 @@ main(int ac, char **av)
+ * to create a file, and we can't control the code in every
+ * module which might be used).
+ */
++#ifndef HAVE_INTERIX
+ if (setgroups(0, NULL) < 0)
+ debug("setgroups() failed: %.200s", strerror(errno));
++#endif
+
+ if (rexec_flag) {
+ if (rexec_argc < 0)
+@@ -2053,6 +2078,25 @@ main(int ac, char **av)
+ audit_connection_from(remote_ip, remote_port);
+ #endif
+
++#ifdef LIBWRAP
++ allow_severity = options.log_facility|LOG_INFO;
++ deny_severity = options.log_facility|LOG_WARNING;
++ /* Check whether logins are denied from this host. */
++ if (ssh_packet_connection_is_on_socket(ssh)) {
++ struct request_info req;
++
++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++ fromhost(&req);
++
++ if (!hosts_access(&req)) {
++ debug("Connection refused by tcp wrapper");
++ refuse(&req);
++ /* NOTREACHED */
++ fatal("libwrap refuse returns");
++ }
++ }
++#endif /* LIBWRAP */
++
+ rdomain = ssh_packet_rdomain_in(ssh);
+
+ /* Log the connection. */
diff --git a/openssh8/patches/patch-sshpty.c b/openssh8/patches/patch-sshpty.c
new file mode 100644
index 0000000000..c96ba181fe
--- /dev/null
+++ b/openssh8/patches/patch-sshpty.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- sshpty.c.orig 2015-08-21 04:49:03.000000000 +0000
++++ sshpty.c
+@@ -86,7 +86,7 @@ void
+ pty_release(const char *tty)
+ {
+ #if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
+- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
++ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
+ error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
+ if (chmod(tty, (mode_t) 0666) < 0)
+ error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
+@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
+ if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+ if (chown(tty, pw->pw_uid, gid) < 0) {
+ if (errno == EROFS &&
+- (st.st_uid == pw->pw_uid || st.st_uid == 0))
++ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
+ debug("chown(%.100s, %u, %u) failed: %.100s",
+ tty, (u_int)pw->pw_uid, (u_int)gid,
+ strerror(errno));
diff --git a/openssh8/patches/patch-uidswap.c b/openssh8/patches/patch-uidswap.c
new file mode 100644
index 0000000000..32a76c6922
--- /dev/null
+++ b/openssh8/patches/patch-uidswap.c
@@ -0,0 +1,77 @@
+$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+Interix support
+
+--- uidswap.c.orig 2018-10-17 00:01:20.000000000 +0000
++++ uidswap.c
+@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw)
+ (u_int)pw->pw_uid, (u_int)pw->pw_gid,
+ (u_int)saved_euid, (u_int)saved_egid);
+ #ifndef HAVE_CYGWIN
+- if (saved_euid != 0) {
++ if (saved_euid != ROOTUID) {
+ privileged = 0;
+ return;
+ }
+ #endif
+ #else
+- if (geteuid() != 0) {
++ if (geteuid() != ROOTUID) {
+ privileged = 0;
+ return;
+ }
+@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw)
+
+ /* set and save the user's groups */
+ if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
++#ifndef HAVE_INTERIX
+ if (initgroups(pw->pw_name, pw->pw_gid) < 0)
+ fatal("initgroups: %s: %.100s", pw->pw_name,
+ strerror(errno));
+-
++#endif
+ user_groupslen = getgroups(0, NULL);
+ if (user_groupslen < 0)
+ fatal("getgroups: %.100s", strerror(errno));
+@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw)
+ }
+ user_groups_uid = pw->pw_uid;
+ }
++#ifndef HAVE_INTERIX
+ /* Set the effective uid to the given (unprivileged) uid. */
+ if (setgroups(user_groupslen, user_groups) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
++#endif
+ #ifndef SAVED_IDS_WORK_WITH_SETEUID
+ /* Propagate the privileged gid to all of our gids. */
+ if (setgid(getegid()) < 0)
+@@ -166,8 +169,10 @@ restore_uid(void)
+ setgid(getgid());
+ #endif /* SAVED_IDS_WORK_WITH_SETEUID */
+
++#ifndef HAVE_INTERIX
+ if (setgroups(saved_egroupslen, saved_egroups) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
++#endif
+ temporarily_use_uid_effective = 0;
+ }
+
+@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw)
+ debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
+ (u_int)pw->pw_gid);
+
++#if defined(HAVE_INTERIX)
++ if (setuser(pw->pw_name, NULL, SU_COMPLETE))
++ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
++#else
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
+ fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+
+@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw)
+ (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+ fatal("%s: was able to restore old [e]uid", __func__);
+ #endif
++#endif /* HAVE_INTERIX */
+
+ /* Verify UID drop was successful */
+ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
Home |
Main Index |
Thread Index |
Old Index