Current openssh-portable

security/openssh-portable/files/extra-patch-blacklistd

@@ -0,0 +1,419 @@
+--- blacklist.c.orig	2021-04-28 13:37:52.679784000 -0700
++++ blacklist.c	2021-04-28 13:56:45.677805000 -0700
+@@ -0,0 +1,92 @@
++/*-
++ * Copyright (c) 2015 The NetBSD Foundation, Inc.
++ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
++ * All rights reserved.
++ *
++ * Portions of this software were developed by Kurt Lidl
++ * under sponsorship from the FreeBSD Foundation.
++ *
++ * This code is derived from software contributed to The NetBSD Foundation
++ * by Christos Zoulas.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
++ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
++ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "includes.h"
++
++#include <ctype.h>
++#include <stdarg.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <syslog.h>
++#include <unistd.h>
++
++#include "ssh.h"
++#include "packet.h"
++#include "log.h"
++#include "misc.h"
++#include <blacklist.h>
++#include "blacklist_client.h"
++
++static struct blacklist *blstate = NULL;
++
++/* internal definition from bl.h */
++struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
++
++/* impedence match vsyslog() to sshd's internal logging levels */
++void
++im_log(int priority, const char *message, va_list args)
++{
++	LogLevel imlevel;
++
++	switch (priority) {
++	case LOG_ERR:
++		imlevel = SYSLOG_LEVEL_ERROR;
++		break;
++	case LOG_DEBUG:
++		imlevel = SYSLOG_LEVEL_DEBUG1;
++		break;
++	case LOG_INFO:
++		imlevel = SYSLOG_LEVEL_INFO;
++		break;
++	default:
++		imlevel = SYSLOG_LEVEL_DEBUG2;
++	}
++	do_log2(imlevel, message, args);
++}
++
++void
++blacklist_init(void)
++{
++
++	blstate = bl_create(false, NULL, im_log);
++}
++
++void
++blacklist_notify(int action, struct ssh *ssh, const char *msg)
++{
++
++	if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
++		(void)blacklist_r(blstate, action,
++		ssh_packet_get_connection_in(ssh), msg);
++}
+--- blacklist_client.h.orig	2020-11-16 16:45:22.823087000 -0800
++++ blacklist_client.h	2020-11-16 16:45:09.761962000 -0800
+@@ -0,0 +1,61 @@
++/*-
++ * Copyright (c) 2015 The NetBSD Foundation, Inc.
++ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
++ * All rights reserved.
++ *
++ * Portions of this software were developed by Kurt Lidl
++ * under sponsorship from the FreeBSD Foundation.
++ *
++ * This code is derived from software contributed to The NetBSD Foundation
++ * by Christos Zoulas.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
++ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
++ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef BLACKLIST_CLIENT_H
++#define BLACKLIST_CLIENT_H
++
++#ifndef BLACKLIST_API_ENUM
++enum {
++	BLACKLIST_AUTH_OK = 0,
++	BLACKLIST_AUTH_FAIL,
++	BLACKLIST_ABUSIVE_BEHAVIOR,
++	BLACKLIST_BAD_USER
++};
++#endif
++
++#ifdef USE_BLACKLIST
++void blacklist_init(void);
++void blacklist_notify(int, struct ssh *, const char *);
++
++#define BLACKLIST_INIT() blacklist_init()
++#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg)
++
++#else
++
++#define BLACKLIST_INIT()
++#define BLACKLIST_NOTIFY(x, ssh, msg)
++
++#endif
++
++
++#endif /* BLACKLIST_CLIENT_H */
+--- servconf.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ servconf.c	2021-04-28 13:36:19.591999000 -0700
+@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
+ 	options->max_sessions = -1;
+ 	options->banner = NULL;
+ 	options->use_dns = -1;
++	options->use_blacklist = -1;
+ 	options->client_alive_interval = -1;
+ 	options->client_alive_count_max = -1;
+ 	options->num_authkeys_files = 0;
+@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
+ 		options->max_sessions = DEFAULT_SESSIONS_MAX;
+ 	if (options->use_dns == -1)
+ 		options->use_dns = 0;
++	if (options->use_blacklist == -1)
++		options->use_blacklist = 0;
+ 	if (options->client_alive_interval == -1)
+ 		options->client_alive_interval = 0;
+ 	if (options->client_alive_count_max == -1)
+@@ -506,6 +509,7 @@ typedef enum {
+ 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
+ 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
+ 	sBanner, sUseDNS, sHostbasedAuthentication,
++	sUseBlacklist,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
+ 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
+ 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
+@@ -642,6 +646,8 @@ static struct {
+ 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
+ 	{ "banner", sBanner, SSHCFG_ALL },
+ 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
++	{ "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
++	{ "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */,
+ 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
+ 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
+ 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
+@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
+ 		intptr = &options->use_dns;
+ 		goto parse_flag;
+ 
++	case sUseBlacklist:
++		intptr = &options->use_blacklist;
++		goto parse_flag;
++
+ 	case sLogFacility:
+ 		log_facility_ptr = &options->log_facility;
+ 		arg = strdelim(&cp);
+@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sCompression, o->compression);
+ 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ 	dump_cfg_fmtint(sUseDNS, o->use_dns);
++	dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
+ 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
+ 	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
+--- servconf.h.orig	2020-11-16 15:51:00.752090000 -0800
++++ servconf.h	2020-11-16 15:51:02.962173000 -0800
+@@ -179,6 +179,7 @@ typedef struct {
+ 	int	max_sessions;
+ 	char   *banner;			/* SSH-2 banner message */
+ 	int	use_dns;
++	int	use_blacklist;
+ 	int	client_alive_interval;	/*
+ 					 * poke the client this often to
+ 					 * see if it's still there
+--- auth-pam.c.orig	2020-11-16 15:52:45.816578000 -0800
++++ auth-pam.c	2020-11-16 15:54:19.796583000 -0800
+@@ -105,6 +105,7 @@ extern char *__progname;
+ #include "ssh-gss.h"
+ #endif
+ #include "monitor_wrap.h"
++#include "blacklist_client.h"
+ 
+ extern ServerOptions options;
+ extern struct sshbuf *loginmsg;
+@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info,
+ 				sshbuf_free(buffer);
+ 				return (0);
+ 			}
++			/* XXX: ssh context unavailable here, unclear if this is even needed.
++			BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
++			    the_active_state, sshpam_authctxt->user);
++			*/
+ 			error("PAM: %s for %s%.100s from %.100s", msg,
+ 			    sshpam_authctxt->valid ? "" : "illegal user ",
+ 			    sshpam_authctxt->user, sshpam_rhost);
+--- auth.c.orig	2020-11-16 15:52:45.824171000 -0800
++++ auth.c	2020-11-16 15:57:51.091969000 -0800
+@@ -76,6 +76,7 @@
+ #include "ssherr.h"
+ #include "compat.h"
+ #include "channels.h"
++#include "blacklist_client.h"
+ 
+ /* import */
+ extern ServerOptions options;
+@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti
+ 		authmsg = "Postponed";
+ 	else if (partial)
+ 		authmsg = "Partial";
+-	else
++	else {
+ 		authmsg = authenticated ? "Accepted" : "Failed";
++		if (authenticated)
++			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh");
++	}
+ 
+ 	if ((extra = format_method_key(authctxt)) == NULL) {
+ 		if (authctxt->auth_method_info != NULL)
+@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
+ 	aix_restoreauthdb();
+ #endif
+ 	if (pw == NULL) {
++		BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user);
+ 		logit("Invalid user %.100s from %.100s port %d",
+ 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+ #ifdef CUSTOM_FAILED_LOGIN
+--- auth2.c.orig	2020-11-16 17:10:36.772062000 -0800
++++ auth2.c	2020-11-16 17:12:04.852943000 -0800
+@@ -58,6 +58,7 @@
+ #include "monitor_wrap.h"
+ #include "digest.h"
+ #include "kex.h"
++#include "blacklist_client.h"
+ 
+ /* import */
+ extern ServerOptions options;
+@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct
+ 		} else {
+ 			/* Invalid user, fake password information */
+ 			authctxt->pw = fakepw();
++			BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh");
+ #ifdef SSH_AUDIT_EVENTS
+ 			PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
+ #endif
+@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co
+ 	} else {
+ 		/* Allow initial try of "none" auth without failure penalty */
+ 		if (!partial && !authctxt->server_caused_failure &&
+-		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
++		    (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
+ 			authctxt->failures++;
++			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
++		}
+ 		if (authctxt->failures >= options.max_authtries) {
+ #ifdef SSH_AUDIT_EVENTS
+ 			PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
+--- packet.c.orig	2020-11-16 15:52:45.839070000 -0800
++++ packet.c	2020-11-16 15:56:09.285418000 -0800
+@@ -96,6 +96,7 @@
+ #include "packet.h"
+ #include "ssherr.h"
+ #include "sshbuf.h"
++#include "blacklist_client.h"
+ 
+ #ifdef PACKET_DEBUG
+ #define DBG(x) x
+@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt,
+ 	case SSH_ERR_NO_KEX_ALG_MATCH:
+ 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
+ 		if (ssh->kex && ssh->kex->failed_choice) {
++			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
+ 			ssh_packet_clear_keys(ssh);
+ 			errno = oerrno;
+ 			logdie("Unable to negotiate with %s: %s. "
+--- sshd.c.orig	2021-08-19 21:03:49.000000000 -0700
++++ sshd.c	2021-09-10 10:37:17.926747000 -0700
+@@ -123,6 +123,7 @@
+ #include "version.h"
+ #include "ssherr.h"
+ #include "sk-api.h"
++#include "blacklist_client.h"
+ #include "srclimit.h"
+ #include "dh.h"
+ 
+@@ -2225,6 +2228,9 @@ main(int ac, char **av)
+ 	if ((loginmsg = sshbuf_new()) == NULL)
+ 		fatal_f("sshbuf_new failed");
+ 	auth_debug_reset();
++
++	if (options.use_blacklist)
++		BLACKLIST_INIT();
+ 
+ 	if (use_privsep) {
+ 		if (privsep_preauth(ssh) == 1)
+--- Makefile.in.orig	2022-10-03 07:51:42.000000000 -0700
++++ Makefile.in	2022-10-09 10:50:06.401377000 -0700
+@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
+ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
+ 		     @UNSUPPORTED_ALGORITHMS@
+ 
++LIBSSH_OBJS+=	blacklist.o
++
+ all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+ 
+ $(LIBSSH_OBJS): Makefile.in config.h
+--- sshd_config.orig	2020-11-16 16:57:14.276036000 -0800
++++ sshd_config	2020-11-16 16:57:42.183846000 -0800
+@@ -94,6 +94,7 @@
+ #PrintLastLog yes
+ #TCPKeepAlive yes
+ #PermitUserEnvironment no
++#UseBlacklist no
+ #Compression delayed
+ #ClientAliveInterval 0
+ #ClientAliveCountMax 3
+--- sshd_config.5.orig  2023-12-18 15:59:50.000000000 +0100
++++ sshd_config.5       2024-01-06 16:36:17.025742000 +0100
+@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with
+ is to never expire connections for having no open channels.
+ This option may be useful in conjunction with
+ .Cm ChannelTimeout .
++.It Cm UseBlacklist
++Specifies whether
++.Xr sshd 8
++attempts to send authentication success and failure messages
++to the
++.Xr blacklistd 8
++daemon.
++The default is
++.Cm no .
++For forward compatibility with an upcoming
++.Xr blacklistd
++rename, the
++.Cm UseBlocklist
++alias can be used instead.
+ .It Cm UseDNS
+ Specifies whether
+ .Xr sshd 8
+--- monitor.c.orig	2020-11-16 17:24:03.457283000 -0800
++++ monitor.c	2020-11-16 17:25:57.642510000 -0800
+@@ -96,6 +96,7 @@
+ #include "match.h"
+ #include "ssherr.h"
+ #include "sk-api.h"
++#include "blacklist_client.h"
+ 
+ #ifdef GSSAPI
+ static Gssctxt *gsscontext = NULL;
+@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor 
+ 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
+ 			auth_log(ssh, authenticated, partial,
+ 			    auth_method, auth_submethod);
+-			if (!partial && !authenticated)
++			if (!partial && !authenticated) {
+ 				authctxt->failures++;
++				BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL,
++				    ssh, "ssh");
++			}
+ 			if (authenticated || partial) {
+ 				auth2_update_session_info(authctxt,
+ 				    auth_method, auth_submethod);
+@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct
+ 	} else {
+ 		/* Log failed attempt */
+ 		auth_log(ssh, 0, 0, auth_method, NULL);
++		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
+ 		free(cuser);
+ 		free(chost);
+ 	}

security/openssh-portable/files/extra-patch-gssapi-kexgssc.c

@@ -0,0 +1,14 @@
+Fix prototype for DH_get0_key() in kexgssgex_client().
+
+--- kexgssc.c.orig	2020-11-24 12:26:37.222092000 -0800
++++ kexgssc.c	2020-11-24 12:26:54.801490000 -0800
+@@ -31,6 +31,9 @@
+ #include <openssl/crypto.h>
+ #include <openssl/bn.h>
+ 
++#include <openssl/dh.h>
++#include "openbsd-compat/openssl-compat.h"
++
+ #include <string.h>
+ 
+ #include "xmalloc.h"

security/openssh-portable/files/extra-patch-gssapi-kexgsss.c

@@ -0,0 +1,14 @@
+Fix prototype for DH_get0_key() in kexgssgex_server().
+
+--- kexgsss.c.orig	2020-11-24 12:39:25.548427000 -0800
++++ kexgsss.c	2020-11-24 12:39:47.591119000 -0800
+@@ -31,6 +31,9 @@
+ #include <openssl/crypto.h>
+ #include <openssl/bn.h>
+ 
++#include <openssl/dh.h>
++#include "openbsd-compat/openssl-compat.h"
++
+ #include "xmalloc.h"
+ #include "sshbuf.h"
+ #include "ssh2.h"

security/openssh-portable/files/extra-patch-hpn-compat

@@ -0,0 +1,46 @@
+------------------------------------------------------------------------
+r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines
+Changed paths:
+   M /head/crypto/openssh/servconf.c
+
+Instead of removing the NoneEnabled option, mark it as unsupported.
+(should have done this in r291198, but didn't think of it until now)
+
+------------------------------------------------------------------------
+------------------------------------------------------------------------
+r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines
+Changed paths:
+   M /head/crypto/openssh/readconf.c
+
+r294563 was incomplete; re-add the client-side options as well.
+
+------------------------------------------------------------------------
+
+--- readconf.c.orig	2025-04-09 00:02:43.000000000 -0700
++++ readconf.c	2025-04-10 21:55:30.974643000 -0700
+@@ -332,6 +332,12 @@ static struct {
+ 	{ "obscurekeystroketiming", oObscureKeystrokeTiming },
+ 	{ "channeltimeout", oChannelTimeout },
+ 	{ "versionaddendum", oVersionAddendum },
++	{ "hpndisabled", oDeprecated },
++	{ "hpnbuffersize", oDeprecated },
++	{ "tcprcvbufpoll", oDeprecated },
++	{ "tcprcvbuf", oDeprecated },
++	{ "noneenabled", oUnsupported },
++	{ "noneswitch", oUnsupported },
+ 
+ 	{ NULL, oBadOption }
+ };
+--- servconf.c.orig	2024-09-19 15:20:48.000000000 -0700
++++ servconf.c	2024-10-07 20:18:18.259726000 -0700
+@@ -746,6 +746,10 @@ static struct {
+ 	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
+ 	{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
+ 	{ "refuseconnection", sRefuseConnection, SSHCFG_ALL },
++	{ "noneenabled", sUnsupported, SSHCFG_ALL },
++	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
++	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
++	{ "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
+ 	{ NULL, sBadOption, 0 }
+ };
+ 

security/openssh-portable/files/extra-patch-hpn-gss-glue

@@ -0,0 +1,57 @@
+--- sshconnect2.c.orig	2019-07-19 11:53:14.918867000 -0700
++++ sshconnect2.c	2019-07-19 11:53:16.911086000 -0700
+@@ -159,11 +159,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
+ 	char *s, *all_key;
+ 	int r;
+ 
+-#if defined(GSSAPI) && defined(WITH_OPENSSL)
+-	char *orig = NULL, *gss = NULL;
+-	char *gss_host = NULL;
+-#endif
+-
+ 	xxx_host = host;
+ 	xxx_hostaddr = hostaddr;
+ 
+@@ -197,6 +192,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
+ 	}
+ 
+ #if defined(GSSAPI) && defined(WITH_OPENSSL)
++	char *orig = NULL, *gss = NULL;
++	char *gss_host = NULL;
++
+ 	if (options.gss_keyex) {
+ 		/* Add the GSSAPI mechanisms currently supported on this
+ 		 * client to the key exchange algorithm proposal */
+--- readconf.c.orig	2019-07-19 12:13:18.000312000 -0700
++++ readconf.c	2019-07-19 12:13:29.614552000 -0700
+@@ -63,11 +63,11 @@
+ #include "readconf.h"
+ #include "match.h"
+ #include "kex.h"
++#include "ssh-gss.h"
+ #include "mac.h"
+ #include "uidswap.h"
+ #include "myproposal.h"
+ #include "digest.h"
+-#include "ssh-gss.h"
+ 
+ /* Format of the configuration file:
+ 
+--- servconf.c.orig	2019-07-19 12:14:42.078398000 -0700
++++ servconf.c	2019-07-19 12:14:43.543687000 -0700
+@@ -54,6 +54,7 @@
+ #include "sshkey.h"
+ #include "kex.h"
+ #include "mac.h"
++#include "ssh-gss.h"
+ #include "match.h"
+ #include "channels.h"
+ #include "groupaccess.h"
+@@ -64,7 +65,6 @@
+ #include "auth.h"
+ #include "myproposal.h"
+ #include "digest.h"
+-#include "ssh-gss.h"
+ 
+ static void add_listen_addr(ServerOptions *, const char *,
+     const char *, int);

security/openssh-portable/files/extra-patch-pam-sshd_config

@@ -0,0 +1,31 @@
+--- sshd_config.orig	2025-04-09 00:02:43.000000000 -0700
++++ sshd_config	2025-04-10 21:52:39.463528000 -0700
+@@ -53,8 +53,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ # Don't read the user's ~/.rhosts and ~/.shosts files
+ #IgnoreRhosts yes
+ 
+-# To disable tunneled clear text passwords, change to "no" here!
+-#PasswordAuthentication yes
++# To enable tunneled clear text passwords, change to yes here!
++#PasswordAuthentication no
+ #PermitEmptyPasswords no
+ 
+ # Change to "no" to disable keyboard-interactive authentication.  Depending on
+@@ -72,7 +72,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
+ 
+-# Set this to 'yes' to enable PAM authentication, account processing,
++# Set this to 'no' to disable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+ # be allowed through the KbdInteractiveAuthentication and
+ # PasswordAuthentication.  Depending on your PAM configuration,
+@@ -81,7 +81,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and KbdInteractiveAuthentication to 'no'.
+-#UsePAM no
++#UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes

security/openssh-portable/files/extra-patch-tcpwrappers

@@ -0,0 +1,151 @@
+Revert TCPWRAPPER removal -bdrewery
+
+commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Apr 20 13:22:18 2014 +1000
+
+       - tedu@cvs.openbsd.org 2014/03/26 19:58:37
+         [sshd.8 sshd.c]
+         remove libwrap support. ok deraadt djm mfriedl
+
+diff --git sshd.8 sshd.8
+index 289e13d..e6a900b 100644
+--- sshd.8
++++ sshd.8
+@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+--- sshd-session.c.orig	2024-07-01 13:26:10.677919000 -0700
++++ sshd-session.c	2024-07-01 13:26:58.873906000 -0700
+@@ -110,6 +110,13 @@
+ #include "srclimit.h"
+ #include "dh.h"
+ 
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
+@@ -1256,7 +1263,26 @@ main(int ac, char **av)
+ #endif
+ 
+ 	rdomain = ssh_packet_rdomain_in(ssh);
++
++#ifdef LIBWRAP
++	allow_severity = options.log_facility|LOG_INFO;
++	deny_severity = options.log_facility|LOG_WARNING;
++	/* Check whether logins are denied from this host. */
++	if (ssh_packet_connection_is_on_socket(ssh)) {
++		struct request_info req;
+ 
++		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++		fromhost(&req);
++
++		if (!hosts_access(&req)) {
++			debug("Connection refused by tcp wrapper");
++			refuse(&req);
++			/* NOTREACHED */
++			fatal("libwrap refuse returns");
++		}
++	}
++#endif /* LIBWRAP */
++
+ 	/* Log the connection. */
+ 	laddr = get_local_ipaddr(sock_in);
+ 	verbose("Connection from %s port %d on %s port %d%s%s%s",
+--- configure.ac.orig	2022-02-23 03:31:11.000000000 -0800
++++ configure.ac	2022-03-02 12:47:49.958341000 -0800
+@@ -1599,6 +1599,62 @@ else
+ 	AC_MSG_RESULT([no])
+ fi
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5593,6 +5649,7 @@ echo "                       PAM support: $PAM_MSG"
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "                   libldns support: $LDNS_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"

security/openssh-portable/files/extra-patch-version-addendum

@@ -0,0 +1,5 @@
+--- servconf.c.orig	2015-03-28 23:08:41.296700000 -0500
++++ servconf.c	2015-03-28 23:08:54.016291000 -0500
+@@ -318 +318 @@
+-		options->version_addendum = xstrdup("");
++		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD_PORT);

security/openssh-portable/files/openssh.in

@@ -0,0 +1,179 @@
+#!/bin/sh
+
+# PROVIDE: openssh
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf to enable openssh:
+#
+# openssh_enable (bool):	Set it to "YES" to enable openssh.
+#				Default is "NO".
+# openssh_flags (flags):	Set extra flags to openssh.
+#				Default is "". see sshd(1).
+# openssh_pidfile (file):	Set full path to pid file.
+
+. /etc/rc.subr
+
+name="openssh"
+rcvar=openssh_enable
+
+load_rc_config ${name}
+
+: ${openssh_enable:="NO"}
+: ${openssh_skipportscheck="NO"}
+
+# These only control ssh-keygen automatically generating host keys.
+: ${openssh_dsa_enable="YES"}
+: ${openssh_dsa_flags=""}
+: ${openssh_rsa_enable="YES"}
+: ${openssh_rsa_flags=""}
+: ${openssh_ecdsa_enable="YES"}
+: ${openssh_ecdsa_flags=""}
+: ${openssh_ed25519_enable="YES"}
+: ${openssh_ed25519_flags=""}
+
+command=%%PREFIX%%/sbin/sshd
+extra_commands="configtest reload keygen"
+start_precmd="${name}_checks"
+reload_precmd="${name}_checks"
+restart_precmd="${name}_checks"
+configtest_cmd="${name}_configtest"
+keygen_cmd="${name}_keygen"
+pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
+
+openssh_keygen()
+{
+	local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
+	checkyesno openssh_dsa_enable || skip_dsa=y
+	checkyesno openssh_rsa_enable || skip_rsa=y
+	checkyesno openssh_ecdsa_enable || skip_ecdsa=y
+	checkyesno openssh_ed25519_enable || skip_ed25519=y
+
+	if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
+	    \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
+	    \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
+	    \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
+		return 0
+	fi
+
+	umask 022
+
+	# Can't do anything if ssh is not installed
+	[ -x %%PREFIX%%/bin/ssh-keygen ] ||
+		err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
+
+	if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then
+		echo "You already have a DSA host key" \
+			"in %%ETCDIR%%/ssh_host_dsa_key"
+		echo "Skipping protocol version 2 DSA Key Generation"
+	elif checkyesno openssh_dsa_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \
+			-f %%ETCDIR%%/ssh_host_dsa_key -N ''
+	fi
+
+	if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then
+		echo "You already have a RSA host key" \
+			"in %%ETCDIR%%/ssh_host_rsa_key"
+		echo "Skipping protocol version 2 RSA Key Generation"
+	elif checkyesno openssh_rsa_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \
+			-f %%ETCDIR%%/ssh_host_rsa_key -N ''
+	fi
+
+	if [ -f %%ETCDIR%%/ssh_host_ecdsa_key ]; then
+		echo "You already have a Elliptic Curve DSA host key" \
+			"in %%ETCDIR%%/ssh_host_ecdsa_key"
+		echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
+	elif checkyesno openssh_ecdsa_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \
+			-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
+	fi
+
+	if [ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
+		echo "You already have a Elliptic Curve ED25519 host key" \
+			"in %%ETCDIR%%/ssh_host_ed25519_key"
+		echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
+	elif checkyesno openssh_ed25519_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \
+			-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
+	fi
+}
+
+openssh_check_same_ports(){
+    # check if opensshd don't use base system sshd's port
+    #
+    # openssh binds ports in priority (lowest first):
+    # Port from sshd_config
+    # -p option from command line
+    # ListenAddress addr:port from sshd_config
+
+
+    #check if opensshd-portable installed in replacement of base sshd
+    if [ "%%ETCDIR%%" = "/etc/ssh" ]; then
+        return 1
+    fi
+
+    self_port=$(awk '$1~/^ListenAddress/ \
+        {mlen=match($0,":[0-9]*$"); print \
+        substr($0,mlen+1,length($0)-mlen)}' %%ETCDIR%%/sshd_config)
+    if [ -z "$self_port" ]; then
+        self_port=$(echo $openssh_flags | awk \
+            '{for (i = 1; i <= NF; i++) if ($i == "-p") \
+            {i++; printf "%s", $i; break; }; }')
+        if [ -z "$self_port" ]; then
+            self_port=$(awk '$1~/^Port/ {print $2}' \
+                %%ETCDIR%%/sshd_config)
+        fi
+    fi
+    # assume default 22 port
+    if [ -z "$self_port" ]; then
+        self_port=22
+    fi
+
+    load_rc_config "sshd"
+
+    base_sshd_port=$(awk '$1~/^ListenAddress/ \
+        {mlen=match($0,":[0-9]*$"); print \
+        substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config)
+    if [ -z "$base_sshd_port" ]; then
+        base_sshd_port=$(echo $sshd_flags | awk \
+            '{for (i = 1; i <= NF; i++) if ($i == "-p") \
+            {i++; printf "%s", $i; break; }; }')
+        if [ -z "$base_sshd_port" ]; then
+            base_sshd_port=$(awk '$1~/^Port/ {print $2}' \
+                /etc/ssh/sshd_config)
+        fi
+    fi
+    if [ -z "$base_sshd_port" ]; then
+        base_sshd_port=22
+    fi
+
+    # self_port and base_sshd_port may have multiple values. Compare them all
+    for sport in ${self_port}; do
+	    for bport in ${base_sshd_port}; do
+		    [ ${sport} -eq ${bport} ] && return 0
+	    done
+    done
+
+    return 1
+}
+
+openssh_configtest()
+{
+	echo "Performing sanity check on ${name} configuration."
+	eval ${command} ${openssh_flags} -t
+}
+
+openssh_checks()
+{
+	if checkyesno sshd_enable ; then
+      if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then
+          err 1 "sshd_enable is set, but $name and /usr/sbin/sshd use the same port"
+      fi
+	fi
+
+	openssh_keygen
+	openssh_configtest
+}
+
+run_rc_command "$1"

security/openssh-portable/files/patch-regress__test-exec.sh

@@ -0,0 +1,10 @@
+--- regress/test-exec.sh.orig	2015-04-03 18:20:32.256126000 UTC
++++ regress/test-exec.sh	2015-04-03 18:20:41.599903000 -0500
+@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config
+ 	LogLevel		DEBUG3
+ 	AcceptEnv		_XXX_TEST_*
+ 	AcceptEnv		_XXX_TEST
++	PermitRootLogin		yes
+ 	Subsystem	sftp	$SFTPSERVER
+ EOF
+ 

security/openssh-portable/files/patch-servconf.c

@@ -0,0 +1,52 @@
+r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
+Changed paths:
+   M /head/crypto/openssh/myproposal.h
+   M /head/crypto/openssh/readconf.c
+   M /head/crypto/openssh/servconf.c
+
+Apply FreeBSD's configuration defaults.
+
+--- servconf.c.orig	2024-07-01 13:30:30.284417000 -0700
++++ servconf.c	2024-07-01 13:31:20.040132000 -0700
+@@ -46,6 +46,7 @@
+ # include "openbsd-compat/glob.h"
+ #endif
+ 
++#include "version.h"
+ #include "openbsd-compat/sys-queue.h"
+ #include "xmalloc.h"
+ #include "ssh.h"
+@@ -295,7 +296,11 @@ fill_default_server_options(ServerOptions *options)
+ 
+ 	/* Portable-specific options */
+ 	if (options->use_pam == -1)
+-		options->use_pam = 0;
++#ifdef USE_PAM
++		options->use_pam = 1;
++#else
++ 		options->use_pam = 0;
++#endif
+ 	if (options->pam_service_name == NULL)
+ 		options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
+ 
+@@ -339,7 +344,7 @@ fill_default_server_options(ServerOptions *options)
+ 	if (options->print_lastlog == -1)
+ 		options->print_lastlog = 1;
+ 	if (options->x11_forwarding == -1)
+-		options->x11_forwarding = 0;
++		options->x11_forwarding = 1;
+ 	if (options->x11_display_offset == -1)
+ 		options->x11_display_offset = 10;
+ 	if (options->x11_use_localhost == -1)
+@@ -381,7 +386,11 @@ fill_default_server_options(ServerOptions *options)
+ 	if (options->gss_strict_acceptor == -1)
+ 		options->gss_strict_acceptor = 1;
+ 	if (options->password_authentication == -1)
++#ifdef USE_PAM
++		options->password_authentication = 0;
++#else
+ 		options->password_authentication = 1;
++#endif
+ 	if (options->kbd_interactive_authentication == -1)
+ 		options->kbd_interactive_authentication = 1;
+ 	if (options->permit_empty_passwd == -1)

security/openssh-portable/files/patch-session.c

@@ -0,0 +1,78 @@
+bdrewery:
+ - Refactor and simplify original commit.
+ - Stop setting TERM=su without a term.
+
+------------------------------------------------------------------------
+r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines
+Changed paths:
+   M /head/crypto/openssh/session.c
+
+Make sure the environment variables set by setusercontext() are passed on
+to the child process.
+
+Reviewed by:    ache
+Sponsored by:   DARPA, NAI Labs
+
+--- session.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ session.c	2021-04-27 13:11:13.515917000 -0700
+@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
+ }
+ #endif /* HAVE_ETC_DEFAULT_LOGIN */
+ 
+-#if defined(USE_PAM) || defined(HAVE_CYGWIN)
++#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP)
+ static void
+ copy_environment_denylist(char **source, char ***env, u_int *envsize,
+     const char *denylist)
+@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+ # endif /* HAVE_CYGWIN */
+ #endif /* HAVE_LOGIN_CAP */
+ 
+-	if (!options.use_pam) {
++	/* FreeBSD PAM doesn't set default "MAIL" */
++	if (1 || !options.use_pam) {
+ 		snprintf(buf, sizeof buf, "%.200s/%.50s",
+ 		    _PATH_MAILDIR, pw->pw_name);
+ 		child_set_env(&env, &envsize, "MAIL", buf);
+@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+ 
+ 	if (getenv("TZ"))
+ 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
++#ifdef HAVE_LOGIN_CAP
++	/* Load environment from /etc/login.conf setenv directives. */
++	{
++		extern char **environ;
++		char **senv, **var;
++
++		senv = environ;
++		environ = xmalloc(sizeof(char *));
++		*environ = NULL;
++		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);
++		copy_environment_denylist(environ, &env, &envsize, NULL);
++		for (var = environ; *var != NULL; ++var)
++			free(*var);
++		free(environ);
++		environ = senv;
++	}
++#endif
+ 	if (s->term)
+ 		child_set_env(&env, &envsize, "TERM", s->term);
+ 	if (s->display)
+@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw)
+ #ifdef HAVE_LOGIN_CAP
+ 	if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
+ 		return;
+-	nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
++	nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl);
+ #else
+ 	if (pw->pw_uid == 0)
+ 		return;
+@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw)
+ 	if (platform_privileged_uidswap()) {
+ #ifdef HAVE_LOGIN_CAP
+ 		if (setusercontext(lc, pw, pw->pw_uid,
+-		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
++		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
+ 			perror("unable to set user context");
+ 			exit(1);
+ 		}

security/openssh-portable/files/patch-ssh-agent.1

@@ -0,0 +1,26 @@
+--- UTC
+r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
+
+Add a -x option that causes ssh-agent(1) to exit when all clients have
+disconnected.
+
+--- ssh-agent.1.orig	2020-02-13 16:40:54.000000000 -0800
++++ ssh-agent.1	2020-03-21 17:03:22.952068000 -0700
+@@ -43,7 +43,7 @@
+ .Sh SYNOPSIS
+ .Nm ssh-agent
+ .Op Fl c | s
+-.Op Fl \&Dd
++.Op Fl \&Ddx
+ .Op Fl a Ar bind_address
+ .Op Fl E Ar fingerprint_hash
+ .Op Fl P Ar provider_whitelist
+@@ -125,6 +125,8 @@ A lifetime specified for an identity with
+ .Xr ssh-add 1
+ overrides this value.
+ Without this option the default maximum lifetime is forever.
++.It Fl x
++Exit after the last client has disconnected.
+ .It Ar command Op Ar arg ...
+ If a command (and optional arguments) is given,
+ this is executed as a subprocess of the agent.

security/openssh-portable/files/patch-ssh-agent.c

@@ -0,0 +1,97 @@
+--- UTC
+r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines
+
+Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
+
+r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
+
+Add a -x option that causes ssh-agent(1) to exit when all clients have
+disconnected.
+
+--- ssh-agent.c.orig	2023-12-18 06:59:50.000000000 -0800
++++ ssh-agent.c	2023-12-19 17:16:22.128981000 -0800
+@@ -196,11 +196,28 @@
+ /* Refuse signing of non-SSH messages for web-origin FIDO keys */
+ static int restrict_websafe = 1;
+ 
++/*
++ * Client connection count; incremented in new_socket() and decremented in
++ * close_socket().  When it reaches 0, ssh-agent will exit.  Since it is
++ * normally initialized to 1, it will never reach 0.  However, if the -x
++ * option is specified, it is initialized to 0 in main(); in that case,
++ * ssh-agent will exit as soon as it has had at least one client but no
++ * longer has any.
++ */
++static int xcount = 1;
++
+ static void
+ close_socket(SocketEntry *e)
+ {
+ 	size_t i;
++	int last = 0;
+ 
++	if (e->type == AUTH_CONNECTION) {
++		debug("xcount %d -> %d", xcount, xcount - 1);
++		if (--xcount == 0)
++			last = 1;
++	}
++
+ 	close(e->fd);
+ 	sshbuf_free(e->input);
+ 	sshbuf_free(e->output);
+@@ -213,6 +230,8 @@
+ 	memset(e, '\0', sizeof(*e));
+ 	e->fd = -1;
+ 	e->type = AUTH_UNUSED;
++	if (last)
++		cleanup_exit(0);
+ }
+ 
+ static void
+@@ -1893,6 +1912,10 @@
+ 
+ 	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
+ 	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
++	if (type == AUTH_CONNECTION) {
++		debug("xcount %d -> %d", xcount, xcount + 1);
++		++xcount;
++	}
+ 	set_nonblock(fd);
+ 
+ 	if (fd > max_fd)
+@@ -2184,7 +2207,7 @@
+ usage(void)
+ {
+ 	fprintf(stderr,
+-	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
++	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
+ 	    "                 [-O option] [-P allowed_providers] [-t life]\n"
+ 	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
+ 	    "                 [-P allowed_providers] [-t life] command [arg ...]\n"
+@@ -2218,6 +2241,7 @@
+ 	/* drop */
+ 	(void)setegid(getgid());
+ 	(void)setgid(getgid());
++	(void)setuid(geteuid());
+ 
+ 	platform_disable_tracing(0);	/* strict=no */
+ 
+@@ -2229,7 +2253,7 @@
+ 	__progname = ssh_get_progname(av[0]);
+ 	seed_rng();
+ 
+-	while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
++	while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) {
+ 		switch (ch) {
+ 		case 'E':
+ 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -2280,6 +2304,9 @@
+ 				fprintf(stderr, "Invalid lifetime\n");
+ 				usage();
+ 			}
++			break;
++		case 'x':
++			xcount = 0;
+ 			break;
+ 		default:
+ 			usage();

security/openssh-portable/files/patch-ssh.c

@@ -0,0 +1,33 @@
+--- UTC
+r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines
+Changed paths:
+   M /head/crypto/openssh/ssh.c
+
+Canonicize the host name before looking it up in the host file.
+
+--- ssh.c.orig	2018-04-02 05:38:28 UTC
++++ ssh.c
+@@ -1281,6 +1281,23 @@ main(int ac, char **av)
+ 	ssh_digest_free(md);
+ 	conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
+ 
++	/* Find canonic host name. */
++	if (strchr(host, '.') == 0) {
++		struct addrinfo hints;
++		struct addrinfo *ai = NULL;
++		int errgai;
++		memset(&hints, 0, sizeof(hints));
++		hints.ai_family = options.address_family;
++		hints.ai_flags = AI_CANONNAME;
++		hints.ai_socktype = SOCK_STREAM;
++		errgai = getaddrinfo(host, NULL, &hints, &ai);
++		if (errgai == 0) {
++			if (ai->ai_canonname != NULL)
++				host = xstrdup(ai->ai_canonname);
++			freeaddrinfo(ai);
++		}
++	}
++
+ 	/*
+ 	 * Expand tokens in arguments. NB. LocalCommand is expanded later,
+ 	 * after port-forwarding is set up, so it may pick up any local

security/openssh-portable/files/patch-ssh_config

@@ -0,0 +1,11 @@
+--- ssh_config.orig	2024-09-19 15:20:48.000000000 -0700
++++ ssh_config	2024-11-09 12:23:47.263548000 -0800
+@@ -17,6 +17,8 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
++Include ssh_config.d/*.conf
++
+ # Host *
+ #   ForwardAgent no
+ #   ForwardX11 no

security/openssh-portable/files/patch-ssh_config.5

@@ -0,0 +1,13 @@
+--- UTC
+
+--- ssh_config.5.orig	2020-11-16 11:53:55.871161000 -0800
++++ ssh_config.5	2020-11-16 12:43:41.763006000 -0800
+@@ -434,6 +433,8 @@ in the process, regardless of the setting of
+ If the option is set to
+ .Cm no ,
+ the check will not be executed.
++The default is
++.Cm no .
+ .It Cm Ciphers
+ Specifies the ciphers allowed and their order of preference.
+ Multiple ciphers must be comma-separated.

security/openssh-portable/files/patch-sshd.8

@@ -0,0 +1,26 @@
+--- UTC
+Document FreeBSD/port-specific paths
+
+--- sshd.8.orig	2010-08-04 21:03:13.000000000 -0600
++++ sshd.8	2010-09-14 16:14:14.000000000 -0600
+@@ -70,7 +70,7 @@
+ .Nm
+ listens for connections from clients.
+ It is normally started at boot from
+-.Pa /etc/rc .
++.Pa /usr/local/etc/rc.d/openssh .
+ It forks a new
+ daemon for each incoming connection.
+ The forked daemons handle
+@@ -384,8 +384,9 @@
+ If the login is on a tty, records login time.
+ .It
+ Checks
+-.Pa /etc/nologin ;
+-if it exists, prints contents and quits
++.Pa /etc/nologin and
++.Pa /var/run/nologin ;
++if one exists, it prints the contents and quits
+ (unless root).
+ .It
+ Changes to run with normal user privileges.

security/openssh-portable/files/patch-sshd.c

@@ -0,0 +1,101 @@
+--- UTC
+r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines
+Changed paths:
+   M /head/crypto/openssh/sshd.c
+
+Force early initialization of the resolver library, since the resolver
+configuration files will no longer be available once sshd is chrooted.
+
+PR:             39953, 40894
+Submitted by:   dinoex
+
+r199804 | attilio | 2009-11-25 09:12:24 -0600 (Wed, 25 Nov 2009) | 13 lines
+Changed paths:
+   M /head/crypto/openssh/sshd.c
+   M /head/usr.sbin/cron/cron/cron.c
+   M /head/usr.sbin/inetd/inetd.c
+   M /head/usr.sbin/syslogd/syslogd.c
+
+Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap
+environments.
+Please note that this can't be done while such processes run in jails.
+
+Note: in future it would be interesting to find a way to do that
+selectively for any desired proccess (choosen by user himself), probabilly
+via a ptrace interface or whatever.
+
+r206397 | kib | 2010-04-08 07:07:40 -0500 (Thu, 08 Apr 2010) | 8 lines
+Changed paths:
+   M /head/crypto/openssh/sshd.c
+
+Enhance r199804 by marking the daemonised child as immune to OOM instead
+of short-living parent. Only mark the master process that accepts
+connections, do not protect connection handlers spawned from inetd.
+
+
+--- sshd.c.orig	2024-06-30 21:36:28.000000000 -0700
++++ sshd.c	2024-07-01 13:44:05.739756000 -0700
+@@ -28,6 +28,7 @@
+ 
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
++#include <sys/mman.h>
+ #include <sys/socket.h>
+ #ifdef HAVE_SYS_STAT_H
+ # include <sys/stat.h>
+@@ -69,6 +70,13 @@
+ #include <prot.h>
+ #endif
+ 
++#ifdef __FreeBSD__
++#include <resolv.h>
++#ifdef GSSAPI
++#include "ssh-gss.h"
++#endif
++#endif
++
+ #include "xmalloc.h"
+ #include "ssh.h"
+ #include "sshpty.h"
+@@ -1671,7 +1679,30 @@ main(int ac, char **av)
+ 	for (i = 0; i < options.num_log_verbose; i++)
+ 		log_verbose_add(options.log_verbose[i]);
+ 
++#ifdef __FreeBSD__
+ 	/*
++	 * Initialize the resolver.  This may not happen automatically
++	 * before privsep chroot().
++	 */
++	if ((_res.options & RES_INIT) == 0) {
++		debug("res_init()");
++		res_init();
++	}
++#ifdef GSSAPI
++	/*
++	 * Force GSS-API to parse its configuration and load any
++	 * mechanism plugins.
++	 */
++	{
++		gss_OID_set mechs;
++		OM_uint32 minor_status;
++		gss_indicate_mechs(&minor_status, &mechs);
++		gss_release_oid_set(&minor_status, &mechs);
++	}
++#endif
++#endif
++
++	/*
+ 	 * If not in debugging mode, not started from inetd and not already
+ 	 * daemonized (eg re-exec via SIGHUP), disconnect from the controlling
+ 	 * terminal, and fork.  The original process exits.
+@@ -1687,6 +1718,10 @@ main(int ac, char **av)
+ 	/* Reinitialize the log (because of the fork above). */
+ 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
+ 
++ 	/* Avoid killing the process in high-pressure swapping environments. */
++ 	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
++ 		debug("madvise(): %.200s", strerror(errno));
++
+ 	/*
+ 	 * Chdir to the root directory so that the current disk can be
+ 	 * unmounted if desired.

security/openssh-portable/files/patch-sshd_config

@@ -0,0 +1,33 @@
+--- sshd_config.orig	2024-11-09 12:22:03.414050000 -0800
++++ sshd_config	2024-11-09 12:25:59.964286000 -0800
+@@ -10,6 +10,11 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+ 
++# Note that some of FreeBSD's defaults differ from OpenBSD's, and
++# FreeBSD has a few additional options.
++
++Include sshd_config.d/*.conf
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+@@ -37,8 +42,7 @@
+ #PubkeyAuthentication yes
+ 
+ # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile	.ssh/authorized_keys
++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+ 
+ #AuthorizedPrincipalsFile none
+ 
+@@ -84,7 +88,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+-#X11Forwarding no
++#X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PermitTTY yes

security/openssh-portable/files/patch-sshd_config.5

@@ -0,0 +1,59 @@
+--- sshd_config.5.orig	2022-02-11 18:50:00.822679000 +0000
++++ sshd_config.5	2022-02-11 19:09:05.162504000 +0000
+@@ -701,7 +701,9 @@
+ .Qq ssh -Q HostbasedAcceptedAlgorithms .
+ This was formerly named HostbasedAcceptedKeyTypes.
+ .It Cm HostbasedAuthentication
+-Specifies whether rhosts or /etc/hosts.equiv authentication together
++Specifies whether rhosts or
++.Pa /etc/hosts.equiv
++authentication together
+ with successful public key client host authentication is allowed
+ (host-based authentication).
+ The default is
+@@ -1416,6 +1434,15 @@
+ .Cm ethernet .
+ The default is
+ .Cm no .
++Note that if
++.Cm ChallengeResponseAuthentication
++is
++.Cm yes ,
++the root user may be allowed in with its password even if
++.Cm PermitRootLogin is set to
++.Cm prohibit-password
++or
++.Cm without-password .
+ .Pp
+ Independent of this setting, the permissions of the selected
+ .Xr tun 4
+@@ -1774,12 +1801,19 @@
+ .Xr sshd 8
+ as a non-root user.
+ The default is
++.Cm yes ,
++unless
++.Nm sshd
++was built without PAM support, in which case the default is
+ .Cm no .
+ .It Cm VersionAddendum
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+ The default is
+-.Cm none .
++.Cm %%SSH_VERSION_FREEBSD_PORT%% .
++The value
++.Cm none
++may be used to disable this.
+ .It Cm X11DisplayOffset
+ Specifies the first display number available for
+ .Xr sshd 8 Ns 's
+@@ -1793,7 +1827,7 @@
+ or
+ .Cm no .
+ The default is
+-.Cm no .
++.Cm yes .
+ .Pp
+ When X11 forwarding is enabled, there may be additional exposure to
+ the server and to client displays if the