config.sub work.clean/o /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. We don't ---- work/openssh/sshd-session.c.orig 2025-10-11 10:19:18.935826000 -0700 -+++ work/openssh/sshd-session.c 2025-10-11 10:20:11.460279000 -0700 -@@ -1281,7 +1281,7 @@ main(int ac, char **av) - } - - if ((r = kex_exchange_identification(ssh, -1, -- options.version_addendum)) != 0) { -+ options.version_addendum, options.hpn_disabled)) != 0) { - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); - sshpkt_fatal(ssh, r, "banner exchange"); - } --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 @@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -1285,9 +1274,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o struct kex *kex_new(void); int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); ---- work/openssh/sshd-auth.c.orig 2025-04-10 22:36:29.699636000 -0700 -+++ work/openssh/sshd-auth.c 2025-04-10 22:36:33.770235000 -0700 -@@ -827,6 +827,14 @@ do_ssh2_kex(struct ssh *ssh) +--- work/openssh/sshd-auth.c.orig 2026-04-25 16:58:23.868827000 -0700 ++++ work/openssh/sshd-auth.c 2026-04-25 16:59:29.116215000 -0700 +@@ -799,6 +799,14 @@ do_ssh2_kex(struct ssh *ssh) struct kex *kex; int r; @@ -1302,3 +1291,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o if (options.rekey_limit || options.rekey_interval) ssh_packet_set_rekey_limits(ssh, options.rekey_limit, options.rekey_interval); +@@ -813,7 +821,7 @@ do_ssh2_kex(struct ssh *ssh) + free(hkalgs); + + if ((r = kex_exchange_identification(ssh, -1, +- options.version_addendum)) != 0) { ++ options.version_addendum, options.hpn_disabled)) != 0) { + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); + sshpkt_fatal(ssh, r, "banner exchange"); + } diff --git a/security/openssh-portable/files/extra-patch-hpn-gss-glue b/security/openssh-portable/files/extra-patch-hpn-gss-glue index 3924a57f9d67..81ee7e0e4250 100644 --- a/security/openssh-portable/files/extra-patch-hpn-gss-glue +++ b/security/openssh-portable/files/extra-patch-hpn-gss-glue @@ -22,15 +22,14 @@ if (options.gss_keyex) { /* Add the GSSAPI mechanisms currently supported on this * client to the key exchange algorithm proposal */ ---- readconf.c.orig 2025-10-08 15:36:47.220504000 -0700 -+++ readconf.c 2025-10-08 15:38:09.729314000 -0700 -@@ -60,11 +60,11 @@ +--- readconf.c.orig 2026-04-25 17:03:05.811011000 -0700 ++++ readconf.c 2026-04-25 17:03:28.148581000 -0700 +@@ -53,10 +53,10 @@ #include "readconf.h" #include "match.h" #include "kex.h" +#include "ssh-gss.h" #include "mac.h" - #include "uidswap.h" #include "myproposal.h" #include "digest.h" -#include "ssh-gss.h" diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c index 8061e4c76386..cba3768c1507 100644 --- a/security/openssh-portable/files/patch-servconf.c +++ b/security/openssh-portable/files/patch-servconf.c @@ -8,14 +8,6 @@ Apply FreeBSD's configuration defaults. --- servconf.c.orig 2026-04-25 16:05:26.936844000 -0700 +++ servconf.c 2026-04-25 16:18:06.486288000 -0700 -@@ -44,6 +44,7 @@ - # include "openbsd-compat/glob.h" - #endif - -+#include "version.h" - #include "openbsd-compat/sys-queue.h" - #include "xmalloc.h" - #include "ssh.h" @@ -298,7 +299,11 @@ fill_default_server_options(ServerOptions *options) /* Portable-specific options */ diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index da35125897b5..511b989893a4 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -13,9 +13,9 @@ to the child process. Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ session.c 2021-04-27 13:11:13.515917000 -0700 -@@ -939,6 +939,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +--- session.c.orig 2026-04-02 01:09:03.000000000 -0700 ++++ session.c 2026-04-25 16:52:16.015940000 -0700 +@@ -940,6 +940,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -25,7 +25,7 @@ Sponsored by: DARPA, NAI Labs #endif /* Initialize the environment. */ -@@ -960,6 +963,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -961,6 +964,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif @@ -35,7 +35,7 @@ Sponsored by: DARPA, NAI Labs #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the child's environment as they see fit -@@ -977,11 +983,30 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -978,11 +984,30 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -70,25 +70,26 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1001,17 +1026,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1001,18 +1026,10 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + } # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - +- - if (!options.use_pam) { - snprintf(buf, sizeof buf, "%.200s/%.50s", - _PATH_MAILDIR, pw->pw_name); - child_set_env(&env, &envsize, "MAIL", buf); - } -- + /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - if (s->term) - child_set_env(&env, &envsize, "TERM", s->term); - if (s->display) -@@ -1225,7 +1242,8 @@ do_nologin(struct passwd *pw) + #ifdef HAVE_LOGIN_CAP + if (getenv("XDG_RUNTIME_DIR")) { + child_set_env(&env, &envsize, "XDG_RUNTIME_DIR", +@@ -1232,7 +1249,8 @@ do_nologin(struct passwd *pw) do_nologin(struct passwd *pw) { FILE *f = NULL; @@ -98,7 +99,7 @@ Sponsored by: DARPA, NAI Labs struct stat sb; #ifdef HAVE_LOGIN_CAP -@@ -1315,7 +1333,7 @@ do_setusercontext(struct passwd *pw) +@@ -1322,7 +1340,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid,