Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 May 2001 16:31:47 +0200 (CEST)
From:      dirk.meyer@dinoex.sub.org
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/27662: ports/security/openssh Update
Message-ID:  <200105261431.f4QEVlE33306@home.dinoex.sub.org>

next in thread | raw e-mail | index | archive | help

>Number:         27662
>Category:       ports
>Synopsis:       ports/security/openssh Update
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 26 07:40:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Dirk Meyer
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
privat
>Environment:

	FreeBSD 4.3-STABLE i386

>Description:

	Study to upgrade OpenSSH 2.2.0 to OpenSSH 2.9

	Features:
	- Possible use of sftp/sftp-server with older FreeBSD releases.
	- Use a newer version independently from the Base system.
	- Easier to test and fix possible security bugs.

	Bugs:
	- pam_ssm.so won't be supported any more, if teh port
	gets updated.

>How-To-Repeat:

	Try to compile the new Version.
	Most patches don't apply anymore, lots of changes in OpenSSH

>Fix:

	Problem:
	Please review the patches, I am not sure if this updated
	should be commited at all.

	To update:

	apply the patch:
	removed files:
		pam_ssh.c pam_ssh_Makefile
		patch-aw patch-ay patch-az patch-bleichenbacher
	added files:
		patch-misc.c patch-sftp-Makefile
		patch-sftp-server-Makefile patch-ssh-keyscan-Makefile

diff openssh/Makefile openssh/Makefile
--- openssh/Makefile	Tue Apr  3 21:05:22 2001
+++ openssh/Makefile	Sat May 26 16:03:18 2001
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	OpenSSH
-PORTVERSION=	2.2.0
-PORTREVISION=	2
+PORTVERSION=	2.9
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \
 		ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \
@@ -62,23 +61,11 @@
 	@${CP} ${FILESDIR}/getnameinfo.c ${WRKSRC}/lib/
 	@${CP} ${FILESDIR}/netdb.h ${WRKSRC}/
 .endif
-	@${MKDIR} ${WRKSRC}/pam_ssh
-	@${CP} ${FILESDIR}/pam_ssh_Makefile ${WRKSRC}/pam_ssh/Makefile
-	@${CP} ${FILESDIR}/pam_ssh.c ${WRKSRC}/pam_ssh/
 
 post-patch:
 	@${PERL} -pi -e 's:__PREFIX__:${PREFIX}:g' ${WRKSRC}/ssh.h	\
-		${WRKSRC}/sshd_config ${WRKSRC}/pam_ssh/pam_ssh.c	\
-		${WRKSRC}/sshd.sh
-
-.if ${PAM} == yes
-PLIST=		${WRKDIR}/PLIST
-
-do-configure:
-	@${CP} ${PKGDIR}/pkg-plist ${PLIST}
-	@${ECHO} "@cwd /usr" >> ${PLIST}
-	@${ECHO} "lib/pam_ssh.so" >> ${PLIST}
-.endif
+		${WRKSRC}/sshd_config ${WRKSRC}/sshd.sh \
+		${WRKSRC}/pathnames.h
 
 post-install:
 .if !exists(${PREFIX}/etc/ssh_host_key)
diff openssh/distinfo openssh/distinfo
--- openssh/distinfo	Sun Nov  5 00:04:20 2000
+++ openssh/distinfo	Sat May 26 14:27:03 2001
@@ -1 +1 @@
-MD5 (openssh-2.2.0.tgz) = 8ecfebc800f1c0646cbe09231a012764
+MD5 (openssh-2.9.tgz) = 80b842f8bae8786b2a8b81ba8a09772a
diff openssh/files/pam_ssh.c openssh/files/pam_ssh.c
--- openssh/files/pam_ssh.c	Sun Nov  5 00:04:25 2000
+++ openssh/files/pam_ssh.c	Thu Jan  1 01:00:00 1970
@@ -1,496 +0,0 @@
-/*-
- * Copyright (c) 1999 Andrew J. Korty
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $FreeBSD: ports/security/openssh/files/pam_ssh.c,v 1.4 2000/11/04 23:04:25 green Exp $
- *
- */
-
-
-#include <sys/param.h>
-#include <sys/queue.h>
-
-#include <fcntl.h>
-#include <paths.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#define	PAM_SM_AUTH
-#define	PAM_SM_SESSION
-#include <security/pam_modules.h>
-#include <security/pam_mod_misc.h>
-
-#include <openssl/dsa.h>
-
-#include "includes.h"
-#include "rsa.h"
-#include "key.h"
-#include "ssh.h"
-#include "authfd.h"
-#include "authfile.h"
-
-#define	MODULE_NAME	"pam_ssh"
-#define	NEED_PASSPHRASE	"Need passphrase for %s (%s).\nEnter passphrase: "
-#define	PATH_SSH_AGENT	"__PREFIX__/bin/ssh-agent"
-
-
-void
-rsa_cleanup(pam_handle_t *pamh, void *data, int error_status)
-{
-	if (data)
-		RSA_free(data);
-}
-
-
-void
-ssh_cleanup(pam_handle_t *pamh, void *data, int error_status)
-{
-	if (data)
-		free(data);
-}
-
-
-/*
- * The following set of functions allow the module to manipulate the
- * environment without calling the putenv() or setenv() stdlib functions.
- * At least one version of these functions, on the first call, copies
- * the environment into dynamically-allocated memory and then augments
- * it.  On subsequent calls, the realloc() call is used to grow the
- * previously allocated buffer.  Problems arise when the "environ"
- * variable is changed to point to static memory after putenv()/setenv()
- * have been called.
- * 
- * We don't use putenv() or setenv() in case the application subsequently
- * manipulates environ, (e.g., to clear the environment by pointing
- * environ at an array of one element equal to NULL).
- */
-
-SLIST_HEAD(env_head, env_entry);
-
-struct env_entry {
-	char			*ee_env;
-	SLIST_ENTRY(env_entry)	 ee_entries;
-};
-
-typedef struct env {
-	char		**e_environ_orig;
-	char		**e_environ_new;
-	int		  e_count;
-	struct env_head	  e_head;
-	int		  e_committed;
-} ENV;
-
-extern char **environ;
-
-
-static ENV *
-env_new(void)
-{
-	ENV	*self;
-
-	if (!(self = malloc(sizeof (ENV)))) {
-		syslog(LOG_CRIT, "%m");
-		return NULL;
-	}
-	SLIST_INIT(&self->e_head);
-	self->e_count = 0;
-	self->e_committed = 0;
-	return self;
-}
-
-
-static int
-env_put(ENV *self, char *s)
-{
-	struct env_entry	*env;
-
-	if (!(env = malloc(sizeof (struct env_entry))) ||
-	    !(env->ee_env = strdup(s))) {
-		syslog(LOG_CRIT, "%m");
-		return PAM_SERVICE_ERR;
-	}
-	SLIST_INSERT_HEAD(&self->e_head, env, ee_entries);
-	++self->e_count;
-	return PAM_SUCCESS;
-}
-
-
-static void
-env_swap(ENV *self, int which)
-{
-	environ = which ? self->e_environ_new : self->e_environ_orig;
-}
-
-
-static int
-env_commit(ENV *self)
-{
-	int			  n;
-	struct env_entry	 *p;
-	char 			**v;
-
-	for (v = environ, n = 0; v && *v; v++, n++)
-		;
-	if (!(v = malloc((n + self->e_count + 1) * sizeof (char *)))) {
-		syslog(LOG_CRIT, "%m");
-		return PAM_SERVICE_ERR;
-	}
-	self->e_committed = 1;
-	(void)memcpy(v, environ, n * sizeof (char *));
-	SLIST_FOREACH(p, &self->e_head, ee_entries)
-		v[n++] = p->ee_env;
-	v[n] = NULL;
-	self->e_environ_orig = environ;
-	self->e_environ_new = v;
-	env_swap(self, 1);
-	return PAM_SUCCESS;
-}
-
-
-static void
-env_destroy(ENV *self)
-{
-	struct env_entry	 *p;
-
-	env_swap(self, 0);
-	SLIST_FOREACH(p, &self->e_head, ee_entries) {
-		free(p->ee_env);
-		free(p);
-	}
-	if (self->e_committed)
-		free(self->e_environ_new);
-	free(self);
-}
-
-
-void
-env_cleanup(pam_handle_t *pamh, void *data, int error_status)
-{
-	if (data)
-		env_destroy(data);
-}
-
-
-typedef struct passwd PASSWD;
-
-PAM_EXTERN int
-pam_sm_authenticate(
-	pam_handle_t	 *pamh,
-	int		  flags,
-	int		  argc,
-	const char	**argv)
-{
-	char		*comment_priv;		/* on private key */
-	char		*comment_pub;		/* on public key */
-	char		*identity;		/* user's identity file */
-	Key		 key;			/* user's private key */
-	int		 options;		/* module options */
-	const char	*pass;			/* passphrase */
-	char		*prompt;		/* passphrase prompt */
-	Key		 public_key;		/* user's public key */
-	const PASSWD	*pwent;			/* user's passwd entry */
-	PASSWD		*pwent_keep;		/* our own copy */
-	int		 retval;		/* from calls */
-	uid_t		 saved_uid;		/* caller's uid */
-	const char	*user;			/* username */
-
-	options = 0;
-	while (argc--)
-		pam_std_option(&options, *argv++);
-	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
-		return retval;
-	if (!((pwent = getpwnam(user)) && pwent->pw_dir)) {
-		/* delay? */
-		return PAM_AUTH_ERR;
-	}
-	/* locate the user's private key file */
-	if (!asprintf(&identity, "%s/%s", pwent->pw_dir,
-	    SSH_CLIENT_IDENTITY)) {
-		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
-		return PAM_SERVICE_ERR;
-	}
-	/*
-	 * Fail unless we can load the public key.  Change to the
-	 * owner's UID to appease load_public_key().
-	 */
-	key.type = KEY_RSA;
-	key.rsa = RSA_new();
-	public_key.type = KEY_RSA;
-	public_key.rsa = RSA_new();
-	saved_uid = getuid();
-	(void)setreuid(pwent->pw_uid, saved_uid);
-	retval = load_public_key(identity, &public_key, &comment_pub);
-	(void)setuid(saved_uid);
-	if (!retval) {
-		free(identity);
-		return PAM_AUTH_ERR;
-	}
-	RSA_free(public_key.rsa);
-	/* build the passphrase prompt */
-	retval = asprintf(&prompt, NEED_PASSPHRASE, identity, comment_pub);
-	free(comment_pub);
-	if (!retval) {
-		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
-		free(identity);
-		return PAM_SERVICE_ERR;
-	}
-	/* pass prompt message to application and receive passphrase */
-	retval = pam_get_pass(pamh, &pass, prompt, options);
-	free(prompt);
-	if (retval != PAM_SUCCESS) {
-		free(identity);
-		return retval;
-	}
-	/*
-	 * Try to decrypt the private key with the passphrase provided.
-	 * If success, the user is authenticated.
-	 */
-	(void)setreuid(pwent->pw_uid, saved_uid);
-	retval = load_private_key(identity, pass, &key, &comment_priv);
-	free(identity);
-	(void)setuid(saved_uid);
-	if (!retval)
-		return PAM_AUTH_ERR;
-	/*
-	 * Save the key and comment to pass to ssh-agent in the session
-	 * phase.
-	 */
-	if ((retval = pam_set_data(pamh, "ssh_private_key", key.rsa,
-	    rsa_cleanup)) != PAM_SUCCESS) {
-		RSA_free(key.rsa);
-		free(comment_priv);
-		return retval;
-	}
-	if ((retval = pam_set_data(pamh, "ssh_key_comment", comment_priv,
-	    ssh_cleanup)) != PAM_SUCCESS) {
-		free(comment_priv);
-		return retval;
-	}
-	/*
-	 * Copy the passwd entry (in case successive calls are made)
-	 * and save it for the session phase.
-	 */
-	if (!(pwent_keep = malloc(sizeof *pwent))) {
-		syslog(LOG_CRIT, "%m");
-		return PAM_SERVICE_ERR;
-	}
-	(void)memcpy(pwent_keep, pwent, sizeof *pwent_keep);
-	if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
-	    ssh_cleanup)) != PAM_SUCCESS) {
-		free(pwent_keep);
-		return retval;
-	}
-	return PAM_SUCCESS;
-}
-
-
-PAM_EXTERN int
-pam_sm_setcred(
-	pam_handle_t	 *pamh,
-	int		  flags,
-	int		  argc,
-	const char	**argv)
-{
-	return PAM_SUCCESS;
-}
-
-
-typedef AuthenticationConnection AC;
-
-PAM_EXTERN int
-pam_sm_open_session(
-	pam_handle_t	 *pamh,
-	int		  flags,
-	int		  argc,
-	const char	**argv)
-{
-	AC		*ac;			/* to ssh-agent */
-	char		*comment;		/* on private key */
-	char		*env_end;		/* end of env */
-	char		*env_file;		/* to store env */
-	FILE		*env_fp;		/* env_file handle */
-	Key		 key;			/* user's private key */
-	FILE		*pipe;			/* ssh-agent handle */
-	const PASSWD	*pwent;			/* user's passwd entry */
-	int		 retval;		/* from calls */
-	uid_t		 saved_uid;		/* caller's uid */
-	ENV		*ssh_env;		/* env handle */
-	const char	*tty;			/* tty or display name */
-	char		 hname[MAXHOSTNAMELEN];	/* local hostname */
-	char		 parse[BUFSIZ];		/* commands output */
-
-	/* dump output of ssh-agent in ~/.ssh */
-	if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
-	    (const void **)&pwent)) != PAM_SUCCESS)
-		return retval;
-	/* use the tty or X display name in the filename */
-	if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty))
-	    != PAM_SUCCESS)
-		return retval;
-	if (*tty == ':' && gethostname(hname, sizeof hname) == 0) {
-		if (asprintf(&env_file, "%s/.ssh/agent-%s%s",
-		    pwent->pw_dir, hname, tty) == -1) {
-			syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
-			return PAM_SERVICE_ERR;
-		}
-	} else if (asprintf(&env_file, "%s/.ssh/agent-%s", pwent->pw_dir,
-	    tty) == -1) {
-		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
-		return PAM_SERVICE_ERR;
-	}
-	/* save the filename so we can delete the file on session close */
-	if ((retval = pam_set_data(pamh, "ssh_agent_env", env_file,
-	    ssh_cleanup)) != PAM_SUCCESS) {
-		free(env_file);
-		return retval;
-	}
-	/* start the agent as the user */
-	saved_uid = geteuid();
-	(void)seteuid(pwent->pw_uid);
-	env_fp = fopen(env_file, "w");
-	pipe = popen(PATH_SSH_AGENT, "r");
-	(void)seteuid(saved_uid);
-	if (!pipe) {
-		syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT);
-		if (env_fp)
-			(void)fclose(env_fp);
-		return PAM_SESSION_ERR;
-	}
-	if (!(ssh_env = env_new()))
-		return PAM_SESSION_ERR;
-	if ((retval = pam_set_data(pamh, "ssh_env_handle", ssh_env,
-	    env_cleanup)) != PAM_SUCCESS)
-		return retval;
-	while (fgets(parse, sizeof parse, pipe)) {
-		if (env_fp)
-			(void)fputs(parse, env_fp);
-		/*
-		 * Save environment for application with pam_putenv()
-		 * but also with env_* functions for our own call to
-		 * ssh_get_authentication_connection().
-		 */
-		if (strchr(parse, '=') && (env_end = strchr(parse, ';'))) {
-			*env_end = '\0';
-			/* pass to the application ... */
-			if (!((retval = pam_putenv(pamh, parse)) ==
-			    PAM_SUCCESS)) {
-				(void)pclose(pipe);
-				if (env_fp)
-					(void)fclose(env_fp);
-				env_destroy(ssh_env);
-				return PAM_SERVICE_ERR;
-			}
-			env_put(ssh_env, parse);
-		}
-	}
-	if (env_fp)
-		(void)fclose(env_fp);
-	switch (retval = pclose(pipe)) {
-	case -1:
-		syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT);
-		env_destroy(ssh_env);
-		return PAM_SESSION_ERR;
-	case 0:
-		break;
-	case 127:
-		syslog(LOG_ERR, "%s: cannot execute %s", MODULE_NAME,
-		    PATH_SSH_AGENT);
-		env_destroy(ssh_env);
-		return PAM_SESSION_ERR;
-	default:
-		syslog(LOG_ERR, "%s: %s exited with status %d",
-		    MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval));
-		env_destroy(ssh_env);
-		return PAM_SESSION_ERR;
-	}
-	key.type = KEY_RSA;
-	/* connect to the agent and hand off the private key */
-	if ((retval = pam_get_data(pamh, "ssh_private_key",
-	    (const void **)&key.rsa)) != PAM_SUCCESS ||
-	    (retval = pam_get_data(pamh, "ssh_key_comment",
-	    (const void **)&comment)) != PAM_SUCCESS ||
-	    (retval = env_commit(ssh_env)) != PAM_SUCCESS) {
-		env_destroy(ssh_env);
-		return retval;
-	}
-	if (!(ac = ssh_get_authentication_connection())) {
-		syslog(LOG_ERR, "%s: could not connect to agent",
-		    MODULE_NAME);
-		env_destroy(ssh_env);
-		return PAM_SESSION_ERR;
-	}
-	retval = ssh_add_identity(ac, &key, comment);
-	ssh_close_authentication_connection(ac);
-	env_swap(ssh_env, 0);
-	return retval ? PAM_SUCCESS : PAM_SESSION_ERR;
-}
-
-
-PAM_EXTERN int
-pam_sm_close_session(
-	pam_handle_t	 *pamh,
-	int		  flags,
-	int		  argc,
-	const char	**argv)
-{
-	const char	*env_file;	/* ssh-agent environment */
-	int	 	 retval;	/* from calls */
-	ENV		*ssh_env;	/* env handle */
-
-	if ((retval = pam_get_data(pamh, "ssh_env_handle",
-	    (const void **)&ssh_env)) != PAM_SUCCESS)
-		return retval;
-	env_swap(ssh_env, 1);
-	/* kill the agent */
-	retval = system(PATH_SSH_AGENT " -k");
-	env_destroy(ssh_env);
-	switch (retval) {
-	case -1:
-		syslog(LOG_ERR, "%s: %s -k: %m", MODULE_NAME,
-		    PATH_SSH_AGENT);
-		return PAM_SESSION_ERR;
-	case 0:
-		break;
-	case 127:
-		syslog(LOG_ERR, "%s: cannot execute %s -k", MODULE_NAME,
-		    PATH_SSH_AGENT);
-		return PAM_SESSION_ERR;
-	default:
-		syslog(LOG_ERR, "%s: %s -k exited with status %d",
-		    MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval));
-		return PAM_SESSION_ERR;
-	}
-	/* retrieve environment filename, then remove the file */
-	if ((retval = pam_get_data(pamh, "ssh_agent_env",
-	    (const void **)&env_file)) != PAM_SUCCESS)
-		return retval;
-	(void)unlink(env_file);
-	return PAM_SUCCESS;
-}
-
-
-PAM_MODULE_ENTRY(MODULE_NAME);
diff openssh/files/pam_ssh_Makefile openssh/files/pam_ssh_Makefile
--- openssh/files/pam_ssh_Makefile	Mon Nov 29 08:09:44 1999
+++ openssh/files/pam_ssh_Makefile	Thu Jan  1 01:00:00 1970
@@ -1,15 +0,0 @@
-# PAM module for SSH
-# $FreeBSD: ports/security/openssh/files/pam_ssh_Makefile,v 1.1 1999/11/29 07:09:44 green Exp $
-.PATH:		${.CURDIR}/..
-
-LIB=		pam_ssh
-DESTDIR=
-SHLIB_NAME=	pam_ssh.so
-SRCS=		log-client.c pam_ssh.c
-CFLAGS+=	-Wall
-DPADD+=		${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} ${LIBGCC_PIC}
-LDADD+=		${CRYPTOLIBS} -lutil -lz -lgcc_pic
-INTERNALLIB=	yes
-INTERNALSTATICLIB=yes
-
-.include <bsd.lib.mk>
diff openssh/files/patch-aa openssh/files/patch-aa
--- openssh/files/patch-aa	Wed Feb 23 12:30:04 2000
+++ openssh/files/patch-aa	Sat May 26 16:04:02 2001
@@ -1,15 +1,13 @@
---- Makefile.orig	Wed Feb 23 06:18:58 2000
-+++ Makefile	Wed Feb 23 06:22:22 2000
-@@ -1,13 +1,17 @@
- #	$OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $
+--- Makefile.orig	Sun Feb  4 12:11:53 2001
++++ Makefile	Sat May 26 16:03:54 2001
+@@ -1,14 +1,15 @@
+ #	$OpenBSD: Makefile,v 1.8 2001/02/04 11:11:53 djm Exp $
  
  .include <bsd.own.mk>
 +.include "Makefile.inc"
  
- SUBDIR=	lib ssh sshd ssh-add ssh-keygen ssh-agent scp
-+.if ${PAM} == yes
-+SUBDIR+=	pam_ssh
-+.endif
+ SUBDIR=	lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \
+ 	ssh-keyscan sftp
  
  distribution:
 -	install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \
diff openssh/files/patch-ad openssh/files/patch-ad
--- openssh/files/patch-ad	Sun Nov  5 00:04:25 2000
+++ openssh/files/patch-ad	Sat May 26 14:40:01 2001
@@ -1,11 +1,11 @@
---- lib/Makefile.orig	Sat Aug 19 17:34:44 2000
-+++ lib/Makefile	Sat Nov  4 16:41:11 2000
-@@ -5,7 +5,12 @@
- 	cipher.c compat.c compress.c crc32.c deattack.c \
+--- lib/Makefile.orig	Tue Apr  3 21:53:30 2001
++++ lib/Makefile	Sat May 26 14:39:03 2001
+@@ -8,7 +8,12 @@
  	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
  	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \
--	key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c
-+	key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c \
+ 	key.c dispatch.c kex.c mac.c uuencode.c misc.c \
+-	cli.c rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c
++	cli.c rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \
 +	strlcpy.c strlcat.c
 +
 +.if defined(COMPAT_GETADDRINFO)
@@ -14,11 +14,11 @@
  
  NOPROFILE= yes
  NOPIC=	yes
-@@ -14,6 +19,7 @@
+@@ -17,6 +22,7 @@
  	@echo -n
  
  .include <bsd.own.mk>
 +.include "../Makefile.inc"
  
- .if (${KERBEROS} == "yes")
+ .if (${KERBEROS:L} == "yes")
  CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
diff openssh/files/patch-ae openssh/files/patch-ae
--- openssh/files/patch-ae	Wed Nov 24 04:36:20 1999
+++ openssh/files/patch-ae	Sat May 26 14:42:38 2001
@@ -1,8 +1,8 @@
---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/login.c	Tue Nov 23 18:55:14 1999
-+++ ./login.c	Tue Nov 23 19:35:08 1999
-@@ -20,7 +20,11 @@
+--- sshlogin.c.orig	Sat Mar 24 17:43:27 2001
++++ sshlogin.c	Sat May 26 14:42:30 2001
+@@ -41,7 +41,11 @@
  #include "includes.h"
- RCSID("$Id: login.c,v 1.8 1999/11/23 22:25:54 markus Exp $");
+ RCSID("$OpenBSD: sshlogin.c,v 1.2 2001/03/24 16:43:27 stevesk Exp $");
  
 +#ifdef __FreeBSD__
 +#include <libutil.h>
@@ -10,5 +10,5 @@
  #include <util.h>
 +#endif /* __FreeBSD__ */
  #include <utmp.h>
- #include "ssh.h"
- 
+ #include "sshlogin.h"
+ #include "log.h"
diff openssh/files/patch-ag openssh/files/patch-ag
--- openssh/files/patch-ag	Sun Nov  5 00:04:25 2000
+++ openssh/files/patch-ag	Sat May 26 16:10:11 2001
@@ -1,6 +1,6 @@
---- ssh/Makefile.orig	Thu Jun 29 14:35:47 2000
-+++ ssh/Makefile	Sat Nov  4 16:58:41 2000
-@@ -5,8 +5,8 @@
+--- ssh/Makefile.orig	Sat Apr 14 18:33:20 2001
++++ ssh/Makefile	Sat May 26 14:54:24 2001
+@@ -7,8 +7,8 @@
  
  BINMODE?=4555
  
@@ -11,26 +11,26 @@
  LINKS=	${BINDIR}/ssh ${BINDIR}/slogin
  MLINKS=	ssh.1 slogin.1
  
-@@ -14,10 +14,11 @@
+@@ -16,10 +16,11 @@
  	sshconnect.c sshconnect1.c sshconnect2.c
  
  .include <bsd.own.mk> # for AFS
 +.include "../Makefile.inc"
  
- .if (${KERBEROS} == "yes")
+ .if (${KERBEROS:L} == "yes")
 -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
 -LDADD+=	 -lkrb
 +CFLAGS+= -DKRB4 -I/usr/include/kerberosIV
 +LDADD+=	 -lkrb -lcom_err
  DPADD+=	 ${LIBKRB}
- .if (${AFS} == "yes")
+ .if (${AFS:L} == "yes")
  CFLAGS+= -DAFS
-@@ -27,6 +28,7 @@
+@@ -29,6 +30,7 @@
  .endif # KERBEROS
  
  .include <bsd.prog.mk>
 +.include "../Makefile.inc"
  
--LDADD+=	-lutil -lz -lcrypto
-+LDADD+=	-lutil -lz ${CRYPTOLIBS}
- DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ}
+-LDADD+=	-lcrypto -lz
++LDADD+=	${CRYPTOLIBS} -lz
+ DPADD+=	${LIBCRYPTO} ${LIBZ}
diff openssh/files/patch-ah openssh/files/patch-ah
--- openssh/files/patch-ah	Sun Nov  5 00:04:25 2000
+++ openssh/files/patch-ah	Sat May 26 16:10:24 2001
@@ -1,6 +1,6 @@
---- ssh-add/Makefile.orig	Thu Jun 29 14:35:47 2000
-+++ ssh-add/Makefile	Sat Nov  4 17:01:50 2000
-@@ -5,12 +5,12 @@
+--- ssh-add/Makefile.orig	Sun Mar  4 01:51:25 2001
++++ ssh-add/Makefile	Sat May 26 14:56:29 2001
+@@ -7,12 +7,12 @@
  
  BINMODE?=555
  
@@ -9,10 +9,10 @@
 +BINDIR=	/bin
 +MAN1=	ssh-add.1
  
- SRCS=	ssh-add.c log-client.c
+ SRCS=	ssh-add.c
  
  .include <bsd.prog.mk>
  
--LDADD+=	-lcrypto -lutil -lz
-+LDADD+=	${CRYPTOLIBS} -lutil -lz
- DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
+-LDADD+=	-lcrypto
++LDADD+=	${CRYPTOLIBS}
+ DPADD+= ${LIBCRYPTO}
diff openssh/files/patch-ai openssh/files/patch-ai
--- openssh/files/patch-ai	Sun Nov  5 00:04:25 2000
+++ openssh/files/patch-ai	Sat May 26 16:10:41 2001
@@ -1,6 +1,6 @@
---- ssh-agent/Makefile.orig	Thu Jun 29 14:35:48 2000
-+++ ssh-agent/Makefile	Sat Nov  4 17:06:34 2000
-@@ -5,12 +5,12 @@
+--- ssh-agent/Makefile.orig	Sun Mar  4 01:51:25 2001
++++ ssh-agent/Makefile	Sat May 26 14:58:48 2001
+@@ -7,12 +7,12 @@
  
  BINMODE?=555
  
@@ -9,10 +9,10 @@
 +BINDIR=	/bin
 +MAN1=	ssh-agent.1
  
- SRCS=	ssh-agent.c log-client.c
+ SRCS=	ssh-agent.c
  
  .include <bsd.prog.mk>
  
--LDADD+=	-lcrypto -lutil -lz
-+LDADD+=	${CRYPTOLIBS} -lutil -lz
- DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
+-LDADD+=	-lcrypto
++LDADD+=	${CRYPTOLIBS}
+ DPADD+=	${LIBCRYPTO}
diff openssh/files/patch-aj openssh/files/patch-aj
--- openssh/files/patch-aj	Sun Nov  5 00:04:25 2000
+++ openssh/files/patch-aj	Sat May 26 16:10:52 2001
@@ -1,6 +1,6 @@
---- ssh-keygen/Makefile.orig	Thu Jun 29 14:35:48 2000
-+++ ssh-keygen/Makefile	Sat Nov  4 17:06:49 2000
-@@ -5,12 +5,12 @@
+--- ssh-keygen/Makefile.orig	Sun Mar  4 01:51:26 2001
++++ ssh-keygen/Makefile	Sat May 26 15:02:25 2001
+@@ -7,12 +7,12 @@
  
  BINMODE?=555
  
@@ -9,10 +9,10 @@
 +BINDIR=	/bin
 +MAN1=	ssh-keygen.1
  
- SRCS=	ssh-keygen.c log-client.c
+ SRCS=	ssh-keygen.c
  
  .include <bsd.prog.mk>
  
--LDADD+=	-lcrypto -lutil -lz
-+LDADD+=	${CRYPTOLIBS} -lutil -lz
- DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
+-LDADD+=	-lcrypto
++LDADD+=	${CRYPTOLIBS}
+ DPADD+=	${LIBCRYPTO}
diff openssh/files/patch-ak openssh/files/patch-ak
--- openssh/files/patch-ak	Tue Jun 27 23:30:39 2000
+++ openssh/files/patch-ak	Sat May 26 15:08:27 2001
@@ -1,6 +1,6 @@
---- ssh.c.orig	Tue May 30 23:36:40 2000
-+++ ssh.c	Tue Jun 20 16:15:29 2000
-@@ -156,6 +156,9 @@
+--- ssh.c.orig	Tue Apr 17 14:55:04 2001
++++ ssh.c	Sat May 26 15:05:28 2001
+@@ -199,6 +199,9 @@
  	log("Using rsh.  WARNING: Connection will not be encrypted.");
  	/* Build argument list for rsh. */
  	i = 0;
@@ -10,15 +10,3 @@
  	args[i++] = _PATH_RSH;
  	/* host may have to come after user on some systems */
  	args[i++] = host;
-@@ -482,6 +485,11 @@
- 	pwcopy.pw_gid = pw->pw_gid;
- 	pwcopy.pw_dir = xstrdup(pw->pw_dir);
- 	pwcopy.pw_shell = xstrdup(pw->pw_shell);
-+#ifdef __FreeBSD__
-+	pwcopy.pw_class = xstrdup(pw->pw_class);
-+ 	pwcopy.pw_expire = pw->pw_expire;
-+ 	pwcopy.pw_change = pw->pw_change;
-+#endif /* __FreeBSD__ */
- 	pw = &pwcopy;
- 
- 	/* Initialize "log" output.  Since we are the client all output
diff openssh/files/patch-al openssh/files/patch-al
--- openssh/files/patch-al	Sun Nov 28 23:40:28 1999
+++ openssh/files/patch-al	Sat May 26 15:11:33 2001
@@ -1,20 +1,20 @@
---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh.h	Sun Nov 28 16:47:46 1999
-+++ ssh.h	Sun Nov 28 17:00:07 1999
-@@ -61,7 +61,7 @@
+--- pathnames.h.orig	Thu Apr 12 21:15:24 2001
++++ pathnames.h	Sat May 26 15:11:30 2001
+@@ -12,7 +12,7 @@
+  * called by a name other than "ssh" or "Secure Shell".
   */
- #define SSH_SERVICE_NAME	"ssh"
  
--#define ETCDIR			"/etc"
-+#define ETCDIR			"__PREFIX__/etc"
- #define PIDDIR			"/var/run"
+-#define ETCDIR				"/etc"
++#define ETCDIR				"__PREFIX__/etc"
+ #define _PATH_SSH_PIDDIR		"/var/run"
  
  /*
-@@ -78,7 +78,7 @@
- #define SERVER_CONFIG_FILE	ETCDIR "/sshd_config"
- #define HOST_CONFIG_FILE	ETCDIR "/ssh_config"
+@@ -33,7 +33,7 @@
+ #define _PATH_HOST_RSA_KEY_FILE		ETCDIR "/ssh_host_rsa_key"
+ #define _PATH_DH_PRIMES			ETCDIR "/primes"
  
--#define SSH_PROGRAM		"/usr/bin/ssh"
-+#define SSH_PROGRAM		"__PREFIX__/bin/ssh"
+-#define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
++#define _PATH_SSH_PROGRAM		"__PREFIX__/bin/ssh"
  
  /*
   * The process id of the daemon listening for connections is saved here to
diff openssh/files/patch-ao openssh/files/patch-ao
--- openssh/files/patch-ao	Sun Nov  5 00:04:25 2000
+++ openssh/files/patch-ao	Sat May 26 15:15:18 2001
@@ -1,29 +1,35 @@
---- sshd_config.orig	Fri Aug  4 16:30:35 2000
-+++ sshd_config	Sat Nov  4 17:32:28 2000
-@@ -4,12 +4,11 @@
+--- sshd_config.orig	Sat May 26 14:48:18 2001
++++ sshd_config	Sat May 26 15:15:11 2001
+@@ -7,13 +7,13 @@
  #Protocol 2,1
  #ListenAddress 0.0.0.0
  #ListenAddress ::
 -HostKey /etc/ssh_host_key
+-HostKey /etc/ssh_host_rsa_key
+-HostKey /etc/ssh_host_dsa_key
 +HostKey /usr/local/etc/ssh_host_key
++HostKey /usr/local/etc/ssh_host_rsa_key
++HostKey /usr/local/etc/ssh_host_dsa_key
  ServerKeyBits 768
 -LoginGraceTime 600
 +LoginGraceTime 120
  KeyRegenerationInterval 3600
 -PermitRootLogin yes
--#
 +PermitRootLogin no
+ #
  # Don't read ~/.rhosts and ~/.shosts files
  IgnoreRhosts yes
- # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-@@ -48,7 +47,7 @@
+@@ -57,10 +57,10 @@
  #KerberosTgtPassing yes
  
  #CheckMail yes
 -#UseLogin no
 +UseLogin no
  
--#Subsystem	sftp	/usr/local/sbin/sftpd
 -#MaxStartups 10:30:60
-+Subsystem	sftp	/usr/local/sbin/sftpd
 +MaxStartups 10:30:60
+ #Banner /etc/issue.net
+ #ReverseMappingCheck yes
+ 
+-Subsystem	sftp	/usr/libexec/sftp-server
++Subsystem	sftp	/usr/local/libexec/sftp-server
diff openssh/files/patch-ap openssh/files/patch-ap
--- openssh/files/patch-ap	Tue Nov 14 05:51:10 2000
+++ openssh/files/patch-ap	Sat May 26 15:18:53 2001
@@ -1,50 +1,11 @@
-Index: clientloop.c
-===================================================================
-RCS file: /usr2/ncvs/src/crypto/openssh/clientloop.c,v
-retrieving revision 1.1.1.3
-diff -u -r1.1.1.3 clientloop.c
---- clientloop.c	2000/09/10 08:29:25	1.1.1.3
-+++ clientloop.c	2000/11/14 03:15:02
-@@ -75,6 +75,8 @@
- #include "buffer.h"
- #include "bufaux.h"
+--- clientloop.c.orig	Fri Apr 20 09:17:51 2001
++++ clientloop.c	Sat May 26 15:18:51 2001
+@@ -1131,7 +1131,7 @@
  
-+extern Options options;
-+
- /* Flag indicating that stdin should be redirected from /dev/null. */
- extern int stdin_null_flag;
- 
-@@ -793,7 +795,6 @@
- int
- client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
- {
--	extern Options options;
- 	double start_time, total_time;
- 	int len;
- 	char buf[100];
-@@ -1036,7 +1037,7 @@
- 	debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
- 	    ctype, rchan, rwindow, rmaxpack);
- 
--	if (strcmp(ctype, "x11") == 0) {
-+	if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
- 		int sock;
- 		char *originator;
- 		int originator_port;
-@@ -1108,11 +1109,14 @@
- 	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
- 	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
- 	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
--	dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
- 	dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
- 	dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
- 	dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
--	dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
-+
-+	dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
-+	    &auth_input_open_request : NULL);
-+	dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
-+	    &x11_input_open : NULL);
- }
- void
- client_init_dispatch_15()
+ 	if (strcmp(ctype, "forwarded-tcpip") == 0) {
+ 		c = client_request_forwarded_tcpip(ctype, rchan);
+-	} else if (strcmp(ctype, "x11") == 0) {
++	} else if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
+ 		c = client_request_x11(ctype, rchan);
+ 	} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
+ 		c = client_request_agent(ctype, rchan);
diff openssh/files/patch-as openssh/files/patch-as
--- openssh/files/patch-as	Thu Dec 23 07:37:30 1999
+++ openssh/files/patch-as	Sat May 26 15:21:42 2001
@@ -1,14 +1,14 @@
---- pty.c.orig	Thu Dec 23 01:13:10 1999
-+++ pty.c	Thu Dec 23 01:14:05 1999
-@@ -16,7 +16,11 @@
+--- sshpty.c.orig	Sun Mar  4 02:46:30 2001
++++ sshpty.c	Sat May 26 15:21:34 2001
+@@ -14,7 +14,11 @@
  #include "includes.h"
- RCSID("$Id: pty.c,v 1.11 1999/12/11 09:35:46 markus Exp $");
+ RCSID("$OpenBSD: sshpty.c,v 1.1 2001/03/04 01:46:30 djm Exp $");
  
 +#ifdef __FreeBSD__
 +#include <libutil.h>
 +#else
  #include <util.h>
 +#endif
- #include "pty.h"
- #include "ssh.h"
+ #include "sshpty.h"
+ #include "log.h"
  
diff openssh/files/patch-au openssh/files/patch-au
--- openssh/files/patch-au	Sun Feb 18 18:48:35 2001
+++ openssh/files/patch-au	Sat May 26 15:46:25 2001
@@ -1,8 +1,8 @@
---- /home/bright/ssh/ssh/session.c	Sun Aug 27 20:50:54 2000
-+++ session.c	Fri Feb  9 11:19:14 2001
-@@ -28,6 +28,12 @@
- #include "auth.h"
- #include "auth-options.h"
+--- session.c.orig	Tue Apr 17 21:34:25 2001
++++ session.c	Sat May 26 15:45:15 2001
+@@ -58,6 +58,12 @@
+ #include "canohost.h"
+ #include "session.h"
  
 +#ifdef __FreeBSD__
 +#include <libutil.h>
@@ -10,10 +10,10 @@
 +#include <time.h>
 +#endif /* __FreeBSD__ */
 +
- #ifdef HAVE_LOGIN_CAP
- #include <login_cap.h>
- #endif
-@@ -413,6 +419,13 @@
+ /* types */
+ 
+ #define TTYSZ 64
+@@ -461,6 +467,13 @@
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
  		/*
@@ -22,12 +22,12 @@
 +		 */
 +		if (command != NULL)
 +			options.use_login = 0;
-+		
++
 +		/*
  		 * Create a new session and process group since the 4.4BSD
  		 * setlogin() affects the entire process group.
  		 */
-@@ -516,6 +529,13 @@
+@@ -566,6 +579,13 @@
  		/* Child.  Reinitialize the log because the pid has changed. */
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
@@ -37,22 +37,26 @@
 +		 */
 +		if (command != NULL)
 +			options.use_login = 0;
-+		
++
  		/* Close the master side of the pseudo tty. */
  		close(ptyfd);
  
-@@ -602,6 +622,7 @@
+@@ -639,6 +659,11 @@
  	time_t last_login_time;
  	struct passwd * pw = s->pw;
  	pid_t pid = getpid();
++#ifdef HAVE_LOGIN_CAP
++	FILE *f;
++	char buf[256];
 +	char *fname;
++#endif /* HAVE_LOGIN_CAP */
  
  	/*
  	 * Get IP address of client. If the connection is not a socket, let
-@@ -644,6 +665,20 @@
- 		else
- 			printf("Last login: %s from %s\r\n", time_string, buf);
+@@ -679,6 +704,21 @@
+ 			printf("Last login: %s from %s\r\n", time_string, hostname);
  	}
+ 
 +#ifdef HAVE_LOGIN_CAP
 +	if (!options.use_login) {
 +		fname = login_getcapstr(lc, "copyright", NULL, NULL);
@@ -67,10 +71,11 @@
 +	    "All rights reserved.");
 +	}
 +#endif /* HAVE_LOGIN_CAP */
- 	if (options.print_motd) {
- #ifdef HAVE_LOGIN_CAP
- 		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
-@@ -949,7 +984,7 @@
++
+ 	do_motd();
+ }
+ 
+@@ -1027,7 +1067,7 @@
  	 * initgroups, because at least on Solaris 2.3 it leaves file
  	 * descriptors open.
  	 */
@@ -79,11 +84,10 @@
  		close(i);
  
  	/* Change current directory to the user\'s home directory. */
-@@ -973,7 +1008,27 @@
+@@ -1051,6 +1091,26 @@
  	 * in this order).
  	 */
  	if (!options.use_login) {
--		if (stat(SSH_USER_RC, &st) >= 0) {
 +#ifdef __FreeBSD__
 +		/*
 +		 * If the password change time is set and has passed, give the
@@ -104,7 +108,6 @@
 +			}
 +		}
 +#endif /* __FreeBSD__ */
-+                if (stat(SSH_USER_RC, &st) >= 0) {
+ 		/* ignore _PATH_SSH_USER_RC for subsystems */
+ 		if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
  			if (debug_flag)
- 				fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC);
- 
diff openssh/files/patch-aw openssh/files/patch-aw
--- openssh/files/patch-aw	Sat May 13 21:25:57 2000
+++ openssh/files/patch-aw	Thu Jan  1 01:00:00 1970
@@ -1,14 +0,0 @@
---- auth1.c.orig	Thu Apr 20 17:21:58 2000
-+++ auth1.c	Thu Apr 20 17:50:06 2000
-@@ -523,6 +532,11 @@
- 	pwcopy.pw_gid = pw->pw_gid;
- 	pwcopy.pw_dir = xstrdup(pw->pw_dir);
- 	pwcopy.pw_shell = xstrdup(pw->pw_shell);
-+#ifdef __FreeBSD__
-+	pwcopy.pw_class = xstrdup(pw->pw_class);
-+	pwcopy.pw_expire = pw->pw_expire;
-+	pwcopy.pw_change = pw->pw_change;
-+#endif /* __FreeBSD__ */
- 	pw = &pwcopy;
- 
- 	/*
diff openssh/files/patch-ay openssh/files/patch-ay
--- openssh/files/patch-ay	Tue Jun 27 23:30:39 2000
+++ openssh/files/patch-ay	Thu Jan  1 01:00:00 1970
@@ -1,14 +0,0 @@
---- auth2.c.orig	Tue Jun 27 14:20:06 2000
-+++ auth2.c	Tue Jun 27 14:21:20 2000
-@@ -357,6 +357,11 @@
- 		copy->pw_gid = pw->pw_gid;
- 		copy->pw_dir = xstrdup(pw->pw_dir);
- 		copy->pw_shell = xstrdup(pw->pw_shell);
-+#ifdef __FreeBSD__
-+		copy->pw_class = xstrdup(pw->pw_class);
-+		copy->pw_expire = pw->pw_expire;
-+		copy->pw_change = pw->pw_change;
-+#endif /* __FreeBSD__ */
- 		authctxt->valid = 1;
- 	} else {
- 		if (strcmp(u, authctxt->user) != 0 ||
diff openssh/files/patch-az openssh/files/patch-az
--- openssh/files/patch-az	Fri Feb  9 23:37:50 2001
+++ openssh/files/patch-az	Thu Jan  1 01:00:00 1970
@@ -1,11 +0,0 @@
---- /home/bright/ssh/ssh/deattack.c	Fri Aug 18 19:17:12 2000
-+++ deattack.c	Fri Feb  9 10:58:54 2001
-@@ -84,7 +84,7 @@
- detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
- {
- 	static u_int16_t *h = (u_int16_t *) NULL;
--	static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
-+	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
- 	register u_int32_t i, j;
- 	u_int32_t l;
- 	register unsigned char *c;
diff openssh/files/patch-bleichenbacher openssh/files/patch-bleichenbacher
--- openssh/files/patch-bleichenbacher	Mon Feb 12 09:06:56 2001
+++ openssh/files/patch-bleichenbacher	Thu Jan  1 01:00:00 1970
@@ -1,189 +0,0 @@
-Index: rsa.h
-===================================================================
-RCS file: /usr2/ncvs/src/crypto/openssh/rsa.h,v
-retrieving revision 1.2.2.2
-diff -u -r1.2.2.2 rsa.h
---- rsa.h	2000/10/28 23:00:49	1.2.2.2
-+++ rsa.h	2001/02/12 04:03:40
-@@ -32,6 +32,6 @@
- int rsa_alive __P((void));
- 
- void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
--void rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
-+int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
- 
- #endif				/* RSA_H */
-Index: ssh-agent.c
-===================================================================
-RCS file: /usr2/ncvs/src/crypto/openssh/ssh-agent.c,v
-retrieving revision 1.2.2.5
-diff -u -r1.2.2.5 ssh-agent.c
---- ssh-agent.c	2001/02/04 20:24:33	1.2.2.5
-+++ ssh-agent.c	2001/02/12 04:03:40
-@@ -194,7 +194,8 @@
- 	private = lookup_private_key(key, NULL, 1);
- 	if (private != NULL) {
- 		/* Decrypt the challenge using the private key. */
--		rsa_private_decrypt(challenge, challenge, private->rsa);
-+		if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
-+			goto failure;
- 
- 		/* The response is MD5 of decrypted challenge plus session id. */
- 		len = BN_num_bytes(challenge);
-Index: sshconnect1.c
-===================================================================
-RCS file: /usr2/ncvs/src/crypto/openssh/sshconnect1.c,v
-retrieving revision 1.2.2.3
-diff -u -r1.2.2.3 sshconnect1.c
---- sshconnect1.c	2001/01/12 04:25:58	1.2.2.3
-+++ sshconnect1.c	2001/02/12 04:03:40
-@@ -152,14 +152,17 @@
- 	int i, len;
- 
- 	/* Decrypt the challenge using the private key. */
--	rsa_private_decrypt(challenge, challenge, prv);
-+	/* XXX think about Bleichenbacher, too */
-+	if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
-+		packet_disconnect(
-+		    "respond_to_rsa_challenge: rsa_private_decrypt failed");
- 
- 	/* Compute the response. */
- 	/* The response is MD5 of decrypted challenge plus session id. */
- 	len = BN_num_bytes(challenge);
- 	if (len <= 0 || len > sizeof(buf))
--		packet_disconnect("respond_to_rsa_challenge: bad challenge length %d",
--				  len);
-+		packet_disconnect(
-+		    "respond_to_rsa_challenge: bad challenge length %d", len);
- 
- 	memset(buf, 0, sizeof(buf));
- 	BN_bn2bin(challenge, buf + sizeof(buf) - len);
-Index: sshd.c
-===================================================================
-RCS file: /usr2/ncvs/src/crypto/openssh/sshd.c,v
-retrieving revision 1.6.2.5
-diff -u -r1.6.2.5 sshd.c
---- sshd.c	2001/01/18 22:36:53	1.6.2.5
-+++ sshd.c	2001/02/12 04:09:43
-@@ -1108,6 +1108,7 @@
- {
- 	int i, len;
- 	int plen, slen;
-+	int rsafail = 0;
- 	BIGNUM *session_key_int;
- 	unsigned char session_key[SSH_SESSION_KEY_LENGTH];
- 	unsigned char cookie[8];
-@@ -1229,7 +1230,7 @@
- 	 * with larger modulus first).
- 	 */
- 	if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) {
--		/* Private key has bigger modulus. */
-+		/* Server key has bigger modulus. */
- 		if (BN_num_bits(sensitive_data.private_key->n) <
- 		    BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
- 			fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
-@@ -1238,10 +1239,12 @@
- 			      BN_num_bits(sensitive_data.host_key->n),
- 			      SSH_KEY_BITS_RESERVED);
- 		}
--		rsa_private_decrypt(session_key_int, session_key_int,
--				    sensitive_data.private_key);
--		rsa_private_decrypt(session_key_int, session_key_int,
--				    sensitive_data.host_key);
-+		if (rsa_private_decrypt(session_key_int, session_key_int,
-+		    sensitive_data.private_key) <= 0)
-+			rsafail++;
-+		if (rsa_private_decrypt(session_key_int, session_key_int,
-+		    sensitive_data.host_key) <= 0)
-+			rsafail++;
- 	} else {
- 		/* Host key has bigger modulus (or they are equal). */
- 		if (BN_num_bits(sensitive_data.host_key->n) <
-@@ -1252,10 +1255,12 @@
- 			      BN_num_bits(sensitive_data.private_key->n),
- 			      SSH_KEY_BITS_RESERVED);
- 		}
--		rsa_private_decrypt(session_key_int, session_key_int,
--				    sensitive_data.host_key);
--		rsa_private_decrypt(session_key_int, session_key_int,
--				    sensitive_data.private_key);
-+		if (rsa_private_decrypt(session_key_int, session_key_int,
-+		    sensitive_data.host_key) < 0)
-+			rsafail++;
-+		if (rsa_private_decrypt(session_key_int, session_key_int,
-+		    sensitive_data.private_key) < 0)
-+			rsafail++;
- 	}
- 
- 	compute_session_id(session_id, cookie,
-@@ -1270,14 +1275,29 @@
- 	 * least significant 256 bits of the integer; the first byte of the
- 	 * key is in the highest bits.
- 	 */
--	BN_mask_bits(session_key_int, sizeof(session_key) * 8);
--	len = BN_num_bytes(session_key_int);
--	if (len < 0 || len > sizeof(session_key))
--		fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d",
--		      get_remote_ipaddr(),
--		      len, sizeof(session_key));
--	memset(session_key, 0, sizeof(session_key));
--	BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len);
-+	if (!rsafail) {
-+		BN_mask_bits(session_key_int, sizeof(session_key) * 8);
-+		len = BN_num_bytes(session_key_int);
-+		if (len < 0 || len > sizeof(session_key)) {
-+			error("do_connection: bad session key len from %s: "
-+			    "session_key_int %d > sizeof(session_key) %d",
-+			    get_remote_ipaddr(), len, sizeof(session_key));
-+			rsafail++;
-+		} else {
-+			memset(session_key, 0, sizeof(session_key));
-+			BN_bn2bin(session_key_int,
-+			    session_key + sizeof(session_key) - len);
-+		}
-+	}
-+	if (rsafail) {
-+		log("do_connection: generating a fake encryption key");
-+		for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
-+			if (i % 4 == 0)
-+				rand = arc4random();
-+			session_key[i] = rand & 0xff;
-+			rand >>= 8;
-+		}
-+	}
- 
- 	/* Destroy the decrypted integer.  It is no longer needed. */
- 	BN_clear_free(session_key_int);
---- rsa.c.orig	Mon Jun 19 18:39:44 2000
-+++ rsa.c	Mon Feb 12 00:04:02 2001
-@@ -135,7 +135,7 @@
- 	xfree(inbuf);
- }
- 
--void
-+int
- rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
- {
- 	unsigned char *inbuf, *outbuf;
-@@ -149,15 +149,16 @@
- 	BN_bn2bin(in, inbuf);
- 
- 	if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
--	    RSA_PKCS1_PADDING)) <= 0)
--		fatal("rsa_private_decrypt() failed");
--
--	BN_bin2bn(outbuf, len, out);
--
-+	    RSA_PKCS1_PADDING)) <= 0) {
-+		error("rsa_private_decrypt() failed");
-+	} else {
-+		BN_bin2bn(outbuf, len, out);
-+	}
- 	memset(outbuf, 0, olen);
- 	memset(inbuf, 0, ilen);
- 	xfree(outbuf);
- 	xfree(inbuf);
-+	return len;
- }
- 
- /* Set whether to output verbose messages during key generation. */
diff openssh/files/patch-misc.c openssh/files/patch-misc.c
--- openssh/files/patch-misc.c	Thu Jan  1 01:00:00 1970
+++ openssh/files/patch-misc.c	Sat May 26 15:39:30 2001
@@ -0,0 +1,13 @@
+--- misc.c.orig	Thu Apr 12 22:09:37 2001
++++ misc.c	Sat May 26 15:39:25 2001
+@@ -111,6 +111,10 @@
+ 	copy->pw_class = xstrdup(pw->pw_class);
+ 	copy->pw_dir = xstrdup(pw->pw_dir);
+ 	copy->pw_shell = xstrdup(pw->pw_shell);
++#ifdef __FreeBSD__
++	copy->pw_expire = pw->pw_expire;
++	copy->pw_change = pw->pw_change;
++#endif /* __FreeBSD__ */
+ 	return copy;
+ }
+ 
diff openssh/files/patch-sftp-Makefile openssh/files/patch-sftp-Makefile
--- openssh/files/patch-sftp-Makefile	Thu Jan  1 01:00:00 1970
+++ openssh/files/patch-sftp-Makefile	Sat May 26 16:11:25 2001
@@ -0,0 +1,13 @@
+--- sftp/Makefile.orig	Mon Apr 16 04:31:52 2001
++++ sftp/Makefile	Sat May 26 15:49:42 2001
+@@ -7,8 +7,8 @@
+ 
+ BINMODE?=555
+ 
+-BINDIR=	/usr/bin
+-MAN=	sftp.1
++BINDIR=	/bin
++MAN1=	sftp.1
+ 
+ SRCS=	sftp.c sftp-client.c sftp-int.c sftp-common.c sftp-glob.c scp-common.c
+ 
diff openssh/files/patch-sftp-server-Makefile openssh/files/patch-sftp-server-Makefile
--- openssh/files/patch-sftp-server-Makefile	Thu Jan  1 01:00:00 1970
+++ openssh/files/patch-sftp-server-Makefile	Sat May 26 16:11:33 2001
@@ -0,0 +1,13 @@
+--- sftp-server/Makefile.orig	Sun Mar  4 00:59:36 2001
++++ sftp-server/Makefile	Sat May 26 15:47:57 2001
+@@ -7,8 +7,8 @@
+ 
+ BINMODE?=555
+ 
+-BINDIR=	/usr/libexec
+-MAN=	sftp-server.8
++BINDIR=	/libexec
++MAN8=	sftp-server.8
+ 
+ SRCS=	sftp-server.c sftp-common.c
+ 
diff openssh/files/patch-ssh-keyscan-Makefile openssh/files/patch-ssh-keyscan-Makefile
--- openssh/files/patch-ssh-keyscan-Makefile	Thu Jan  1 01:00:00 1970
+++ openssh/files/patch-ssh-keyscan-Makefile	Sat May 26 16:14:09 2001
@@ -0,0 +1,13 @@
+--- ssh-keyscan/Makefile.orig	Sun Mar  4 00:59:39 2001
++++ ssh-keyscan/Makefile	Sat May 26 16:14:05 2001
+@@ -7,8 +7,8 @@
+ 
+ BINMODE?=555
+ 
+-BINDIR=	/usr/bin
+-MAN=	ssh-keyscan.1
++BINDIR=	/bin
++MAN1=	ssh-keyscan.1
+ 
+ SRCS=	ssh-keyscan.c
+ 
diff openssh/pkg-plist openssh/pkg-plist
--- openssh/pkg-plist	Tue Apr  3 21:05:22 2001
+++ openssh/pkg-plist	Sat May 26 16:16:47 2001
@@ -1,13 +1,16 @@
 bin/scp
+bin/sftp
 bin/slogin
 bin/ssh
 bin/ssh-add
 bin/ssh-agent
 bin/ssh-keygen
+bin/ssh-keyscan
 etc/rc.d/sshd.sh
 etc/ssh_config
 etc/sshd_config
 sbin/sshd
+libexec/sftp-server
 @exec if [ ! -f %D/etc/ssh_host_key ]; then echo ">> Generating a secret RSA host key."; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi
 @exec if [ ! -f %D/etc/ssh_host_dsa_key ]; then echo ">> Generating a secret DSA host key."; %D/bin/ssh-keygen -d -N "" -f %D/etc/ssh_host_dsa_key; fi
 @exec if [ ! -x %D/etc/rc.d/sshd.sh ]; then echo "#!/bin/sh" > %D/etc/rc.d/sshd.sh && exec echo "[ -x %D/sbin/sshd ] && %D/sbin/sshd && echo -n ' sshd'" >> %D/etc/rc.d/sshd.sh && exec chmod 0555 %D/etc/rc.d/sshd.sh; fi
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105261431.f4QEVlE33306>