Going back to openssh 8.8

2024-10-08 09:54:55 +02:00
parent 09e08245c5
commit 1b2c8330ff
20 changed files with 241 additions and 709 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -1,6 +1,8 @@
 # Created by: dwcjr@inethouston.net
 PORTNAME=	openssh
-DISTVERSION=	9.3p2
+DISTVERSION=	8.8p1
-PORTREVISION=	2
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@ -8,7 +10,6 @@ PKGNAMESUFFIX?=	-portable
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 WWW=		https://www.openssh.com/portable.html
 LICENSE=	OPENSSH
 LICENSE_NAME=	OpenSSH Licenses
@ -66,8 +67,6 @@ BLACKLISTD_DESC=	FreeBSD blacklistd(8) support
 OPTIONS_SUB=		yes
 PAM_EXTRA_PATCHES=	${FILESDIR}/extra-patch-pam-sshd_config
 TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
 LDNS_CONFIGURE_WITH=	ldns=${LOCALBASE}
@ -101,22 +100,21 @@ PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
-#BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
+BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
-GSSAPI_DEBIAN_VERSION=	9.4p1
+GSSAPI_DEBIAN_SUBDIR=	${DISTVERSION}-2
 GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
-GSSAPI_DISTVERSION=	9.4p1
+GSSAPI_UPDATE_DATE=	20200607
-PATCHFILES+=	openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex
+PATCHFILES+=	openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
-EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-auth2-gss.c
+EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-sshconnect2.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
 .endif
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@ -1,5 +1,3 @@
-TIMESTAMP = 1695396338
+TIMESTAMP = 1634059537
-SHA256 (openssh-9.3p2.tar.gz) = 200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
+SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9
-SIZE (openssh-9.3p2.tar.gz) = 1835850
+SIZE (openssh-8.8p1.tar.gz) = 1815060
 SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 9492c1db4307aa3fe6e12d77fff01376bf275af2980ae55b926a505aae9e9b14
 SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131674
--- a/security/openssh-portable/files/extra-patch-blacklistd
+++ b/security/openssh-portable/files/extra-patch-blacklistd
@ -351,15 +351,15 @@
 	if (use_privsep) {
 		if (privsep_preauth(ssh) == 1)
--- Makefile.in.orig	2022-10-03 07:51:42.000000000 -0700
+--- Makefile.in.orig	2020-11-16 16:27:13.408700000 -0800
-+++ Makefile.in	2022-10-09 10:50:06.401377000 -0700
+++ Makefile.in	2020-11-16 16:28:28.083007000 -0800
-@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
+@@ -180,6 +180,8 @@ FIXPATHSCMD	= $(SED) $(PATHSUBS)
 FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
 		     @UNSUPPORTED_ALGORITHMS@
 +LIBSSH_OBJS+=	blacklist.o
 +
- all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+ all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS)
 $(LIBSSH_OBJS): Makefile.in config.h
 --- sshd_config.orig	2020-11-16 16:57:14.276036000 -0800
--- a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
+++ b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
@ -1,19 +0,0 @@
 --- auth2-gss.c.orig	2022-03-03 10:56:35.668672000 -0800
 +++ auth2-gss.c	2022-03-03 11:03:16.048838000 -0800
@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct 
  * The 'gssapi_keyex' userauth mechanism.
  */
 static int
 -userauth_gsskeyex(struct ssh *ssh)
 +userauth_gsskeyex(struct ssh *ssh, const char *method)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	int r, authenticated = 0;
@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh 
 Authmethod method_gsskeyex = {
 	"gssapi-keyex",
 +	NULL,
 	userauth_gsskeyex,
 	&options.gss_authentication
 };
--- a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
+++ b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
@ -0,0 +1,12 @@
 Avoid free(const char*)
 --- sshconnect2.c.orig	2020-11-19 14:56:54.387846000 -0800
 +++ sshconnect2.c	2020-11-19 14:57:04.445045000 -0800
@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh)
 		/* Fall back to specified host if we are using proxy command
 		 * and can not use DNS on that socket */
 		if (strcmp(gss_host, "UNKNOWN") == 0) {
 -			gss_host = authctxt->host;
 +			gss_host = xstrdup(authctxt->host);
 		}
 	} else {
 		gss_host = xstrdup(authctxt->host);
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 (tasota@gmail.com) an NSF REU grant recipient for 2013. 
 +	 This work was financed, in part, by Cisco System, Inc., the National 
 +         Library of Medicine, and the National Science Foundation. 
--- channels.c.orig	2023-02-02 04:21:54.000000000 -0800
+--- work/openssh/channels.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ channels.c	2023-02-03 10:45:34.136793000 -0800
+++ work/openssh/channels.c	2021-04-28 14:35:20.732518000 -0700
-@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels *
+@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
 /* Setup helper */
 static void channel_handler_init(struct ssh_channels *sc);
@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /* -- channel core */
 void
-@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
+@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
 	c->local_window = window;
 	c->local_window_max = window;
 	c->local_maxpacket = maxpack;
@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c->remote_name = xstrdup(remote_name);
 	c->ctl_chan = -1;
 	c->delayed = 1;		/* prevent call to channel_post handler */
-@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int 
+@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
- 		fatal_fr(r, "channel %i", c->self);
+ 	FD_SET(c->sock, writeset);
 }
 +#ifdef HPN_ENABLED
@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
 static void
- channel_pre_listener(struct ssh *ssh, Channel *c)
+ channel_pre_open(struct ssh *ssh, Channel *c,
- {
+     fd_set *readset, fd_set *writeset)
-@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		c->local_consumed = 0;
 	}
 	return 1;
-@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
+@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
 	return addr;
 }
@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 static int
 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
     struct Forward *fwd, int *allocated_listen_port,
-@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
+@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
 		}
 		/* Allocate a channel number for the socket. */
@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		 * window size.
 +		 */
 +		if (!hpn_disabled)
-+			c = channel_new(ssh, "port listener", type, sock, sock,
+			c = channel_new(ssh, "port listener", type, sock, sock, -1,
-+			    -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+			    hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 +			    0, "port listener", 1);
 +		else
 +#endif
- 		c = channel_new(ssh, "port-listener", type, sock, sock, -1,
+ 		c = channel_new(ssh, "port listener", type, sock, sock, -1,
 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 		    0, "port listener", 1);
-@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
+@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +			    0, "X11 inet listener", 1);
 +		else
 +#endif
- 		nc = channel_new(ssh, "x11-listener",
+ 		nc = channel_new(ssh, "x11 listener",
 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
 --- work/openssh-7.7p1/channels.h.orig	2018-04-01 22:38:28.000000000 -0700
@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 			free(cipher_list);
 			return 0;
 		}
--- work/openssh/clientloop.c.orig	2022-02-23 03:31:11.000000000 -0800
+--- work/openssh-7.7p1/clientloop.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh/clientloop.c	2022-03-02 12:53:47.624273000 -0800
+++ work/openssh-7.7p1/clientloop.c	2018-06-27 16:40:24.560906000 -0700
-@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
 	sock = x11_connect_display(ssh);
 	if (sock < 0)
 		return NULL;
@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "x11",
 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
+@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
- 	else
+ 			    __func__, ssh_err(r));
- 		debug2_fr(r, "ssh_agent_bind_hostkey");
+ 		return NULL;
- 
+ 	}
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
 +		c = channel_new(ssh, "authentication agent connection",
@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "authentication agent connection",
 	    SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
 	}
 	debug("Tunnel forwarding using interface %s", ifname);
@ -1119,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		sshpkt_fatal(ssh, r, "banner exchange");
 	/* Put the connection into non-blocking mode. */
--- work/openssh/sshconnect2.c.orig	2023-03-15 14:28:19.000000000 -0700
+--- work/openssh/sshconnect2.c.orig	2021-08-19 21:03:49.000000000 -0700
-+++ work/openssh/sshconnect2.c	2023-05-19 14:20:01.965073000 -0700
+++ work/openssh/sshconnect2.c	2021-09-08 10:02:03.037982000 -0700
-@@ -83,7 +83,13 @@ extern Options options;
+@@ -84,7 +84,13 @@
 extern char *client_version_string;
 extern char *server_version_string;
 extern Options options;
@ -1135,7 +1135,29 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /*
  * SSH2 key exchange
  */
-@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
 	return ret;
 }
 +static char *myproposal[PROPOSAL_MAX];
 +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
 void
 ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
     const struct ssh_conn_info *cinfo)
 {
 -	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
 	char *s, *all_key;
 	int r, use_known_hosts_order = 0;
@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
 		fatal_fr(r, "kex_assemble_namelist");
 	free(all_key);
 +	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
 		fatal_f("kex_names_cat");
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
 	if (!authctxt.success)
 		fatal("Authentication failed.");
@ -1147,16 +1169,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 * tty allocated.
 +	 */
 +	if ((options.none_switch == 1) && (options.none_enabled == 1)) {
 +		char *myproposal[PROPOSAL_MAX];
 +		char *s = NULL;
 +		const char *none_cipher = "none";
 +
 +		if (!tty_flag) { /* no null on tty sessions */
 +			debug("Requesting none rekeying...");
-+			kex_proposal_populate_entries(ssh, myproposal, s, none_cipher,
+			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
-+			    options.macs,
+			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
-+			    compression_alg_list(options.compression),
+			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
 +			    options.hostkeyalgorithms);
 +			kex_prop2buf(ssh->kex->my, myproposal);
 +			packet_request_rekeying();
 +			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
@ -1269,11 +1286,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
--- version.h.orig	2023-07-18 23:31:34.000000000 -0700
+--- work/openssh-7.7p1/version.h.orig	2018-04-01 22:38:28.000000000 -0700
-+++ version.h	2023-07-21 07:27:08.311422000 -0700
+++ work/openssh-7.7p1/version.h	2018-06-27 17:13:57.263086000 -0700
@@ -4,3 +4,4 @@
- #define SSH_PORTABLE	"p2"
+ #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 +#define SSH_HPN         "-hpn14v15"
 --- work/openssh/kex.h.orig	2019-07-10 17:35:36.523216000 -0700
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
 ------------------------------------------------------------------------
--- readconf.c.orig	2023-02-03 11:17:45.506822000 -0800
+--- readconf.c.orig	2021-04-27 11:24:15.916596000 -0700
-+++ readconf.c	2023-02-03 11:30:14.894959000 -0800
+++ readconf.c	2021-04-27 11:25:24.222034000 -0700
-@@ -323,6 +323,12 @@ static struct {
+@@ -316,6 +316,12 @@ static struct {
 	{ "proxyjump", oProxyJump },
 	{ "securitykeyprovider", oSecurityKeyProvider },
 	{ "knownhostscommand", oKnownHostsCommand },
 	{ "requiredrsasize", oRequiredRSASize },
 	{ "enableescapecommandline", oEnableEscapeCommandline },
 +	{ "hpndisabled", oDeprecated },
 +	{ "hpnbuffersize", oDeprecated },
 +	{ "tcprcvbufpoll", oDeprecated },
@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
 	{ NULL, oBadOption }
 };
--- servconf.c.orig	2023-02-02 04:21:54.000000000 -0800
+--- servconf.c.orig	2020-02-13 16:40:54.000000000 -0800
-+++ servconf.c	2023-02-03 11:31:00.387624000 -0800
+++ servconf.c	2020-03-21 17:01:18.011062000 -0700
@@ -695,6 +695,10 @@ static struct {
- 	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
+ 	{ "rdomain", sRDomain, SSHCFG_ALL },
- 	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
+ 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
- 	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
+ 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
 +	{ "noneenabled", sUnsupported, SSHCFG_ALL },
 +	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
 +	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
--- a/security/openssh-portable/files/extra-patch-pam-sshd_config
+++ b/security/openssh-portable/files/extra-patch-pam-sshd_config
@ -1,31 +0,0 @@
 --- sshd_config.nopam	2022-02-11 19:19:59.515475000 +0000
 +++ sshd_config	2022-02-11 19:20:45.334738000 +0000
@@ -55,8 +55,8 @@
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 -# To disable tunneled clear text passwords, change to no here!
 -#PasswordAuthentication yes
 +# To enable tunneled clear text passwords, change to yes here!
 +#PasswordAuthentication no
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
@@ -72,7 +72,7 @@
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 -# Set this to 'yes' to enable PAM authentication, account processing,
 +# Set this to 'no' to disable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
@@ -81,7 +81,7 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
 -#UsePAM no
 +#UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@ -83,9 +83,11 @@ index 0ade557..045f149 100644
 	/* Log the connection. */
 	laddr = get_local_ipaddr(sock_in);
--- configure.ac.orig	2022-02-23 03:31:11.000000000 -0800
+diff --git configure.ac configure.ac
-+++ configure.ac	2022-03-02 12:47:49.958341000 -0800
+index f48ba4a..66fbe82 100644
-@@ -1599,6 +1599,62 @@ else
+--- configure.ac.orig	2019-04-17 15:52:57.000000000 -0700
 +++ configure.ac	2019-07-02 20:58:48.627832000 -0700
@@ -1494,6 +1494,62 @@ else
 	AC_MSG_RESULT([no])
 fi
@ -148,11 +150,11 @@ index 0ade557..045f149 100644
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
-@@ -5593,6 +5649,7 @@ echo "                       PAM support: $PAM_MSG"
+@@ -5245,6 +5301,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
--- a/security/openssh-portable/files/openssh.in
+++ b/security/openssh-portable/files/openssh.in
@ -22,16 +22,6 @@ load_rc_config ${name}
 : ${openssh_enable:="NO"}
 : ${openssh_skipportscheck="NO"}
 # These only control ssh-keygen automatically generating host keys.
 : ${openssh_dsa_enable="YES"}
 : ${openssh_dsa_flags=""}
 : ${openssh_rsa_enable="YES"}
 : ${openssh_rsa_flags=""}
 : ${openssh_ecdsa_enable="YES"}
 : ${openssh_ecdsa_flags=""}
 : ${openssh_ed25519_enable="YES"}
 : ${openssh_ed25519_flags=""}
 command=%%PREFIX%%/sbin/sshd
 extra_commands="configtest reload keygen"
 start_precmd="${name}_checks"
@ -43,16 +33,10 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
 openssh_keygen()
 {
-	local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
+	if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
-	checkyesno openssh_dsa_enable || skip_dsa=y
+	    -f %%ETCDIR%%/ssh_host_rsa_key -a \
-	checkyesno openssh_rsa_enable || skip_rsa=y
+	    -f %%ETCDIR%%/ssh_host_ecdsa_key -a \
-	checkyesno openssh_ecdsa_enable || skip_ecdsa=y
+	    -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
 	checkyesno openssh_ed25519_enable || skip_ed25519=y
 	if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
 	    \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
 	    \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
 	    \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
 		return 0
 	fi
@ -66,8 +50,8 @@ openssh_keygen()
 		echo "You already have a DSA host key" \
 			"in %%ETCDIR%%/ssh_host_dsa_key"
 		echo "Skipping protocol version 2 DSA Key Generation"
-	elif checkyesno openssh_dsa_enable; then
+	else
-		%%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \
+		%%PREFIX%%/bin/ssh-keygen -t dsa \
 			-f %%ETCDIR%%/ssh_host_dsa_key -N ''
 	fi
@ -75,8 +59,8 @@ openssh_keygen()
 		echo "You already have a RSA host key" \
 			"in %%ETCDIR%%/ssh_host_rsa_key"
 		echo "Skipping protocol version 2 RSA Key Generation"
-	elif checkyesno openssh_rsa_enable; then
+	else
-		%%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \
+		%%PREFIX%%/bin/ssh-keygen -t rsa \
 			-f %%ETCDIR%%/ssh_host_rsa_key -N ''
 	fi
@ -84,8 +68,8 @@ openssh_keygen()
 		echo "You already have a Elliptic Curve DSA host key" \
 			"in %%ETCDIR%%/ssh_host_ecdsa_key"
 		echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
-	elif checkyesno openssh_ecdsa_enable; then
+	else
-		%%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \
+		%%PREFIX%%/bin/ssh-keygen -t ecdsa \
 			-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
 	fi
@ -93,8 +77,8 @@ openssh_keygen()
 		echo "You already have a Elliptic Curve ED25519 host key" \
 			"in %%ETCDIR%%/ssh_host_ed25519_key"
 		echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
-	elif checkyesno openssh_ed25519_enable; then
+	else
-		%%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \
+		%%PREFIX%%/bin/ssh-keygen -t ed25519 \
 			-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
 	fi
 }
@ -172,7 +156,7 @@ openssh_checks()
      fi
 	fi
-	openssh_keygen
+	run_rc_command keygen
 	openssh_configtest
 }
--- a/security/openssh-portable/files/patch-FreeBSD-logincap
+++ b/security/openssh-portable/files/patch-FreeBSD-logincap
@ -1,69 +0,0 @@
 (pulled from the PR)
 commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8
 Author: Ed Maste <emaste@FreeBSD.org>
 Date:   Tue Aug 31 15:30:50 2021 -0400
    openssh: simplify login class restrictions
    Login class-based restrictions were introduced in 5b400a39b8ad.  The
    code was adapted for sshd's Capsicum sandbox and received many changes
    over time, including at least fc3c19a9fcee, bd393de91cc3, and
    e8c56fba2926.
    During an attempt to upstream the work a much simpler approach was
    suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
    future updates.
    Submitted by:   Yuchiro Naito (against OpenSSH-portable on GitHub)
    Obtained from:  https://github.com/openssh/openssh-portable/pull/262
    Reviewed by:    allanjude, kevans
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D31760
 --- auth.c
 +++ auth.c
@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
 {
 #ifdef HAVE_LOGIN_CAP
 	extern login_cap_t *lc;
 +#ifdef HAVE_AUTH_HOSTOK
 +	const char *from_host, *from_ip;
 +#endif
 #ifdef BSD_AUTH
 	auth_session_t *as;
 #endif
@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
 		debug("unable to get login class: %s", user);
 		return (NULL);
 	}
 +#ifdef HAVE_AUTH_HOSTOK
 +	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
 +	from_ip = ssh_remote_ipaddr(ssh);
 +	if (!auth_hostok(lc, from_host, from_ip)) {
 +		debug("Denied connection for %.200s from %.200s [%.200s].",
 +		      pw->pw_name, from_host, from_ip);
 +		return (NULL);
 +	}
 +#endif /* HAVE_AUTH_HOSTOK */
 +#ifdef HAVE_AUTH_TIMEOK
 +	if (!auth_timeok(lc, time(NULL))) {
 +		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
 +		return (NULL);
 +	}
 +#endif /* HAVE_AUTH_TIMEOK */
 #ifdef BSD_AUTH
 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
 --- configure.ac
 +++ configure.ac
@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG])
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS([ \
 +	auth_hostok \
 +	auth_timeok \
 	Blowfish_initstate \
 	Blowfish_expandstate \
 	Blowfish_expand0state \
--- a/security/openssh-portable/files/patch-SA-23:19
+++ b/security/openssh-portable/files/patch-SA-23:19
@ -1,425 +0,0 @@
 --- kex.c.orig
 +++ kex.c
@@ -65,7 +65,7 @@
 #include "xmalloc.h"
 /* prototype */
 -static int kex_choose_conf(struct ssh *);
 +static int kex_choose_conf(struct ssh *, uint32_t seq);
 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
 static const char * const proposal_names[PROPOSAL_MAX] = {
@@ -177,6 +177,18 @@
 	return 1;
 }
 +/* returns non-zero if proposal contains any algorithm from algs */
 +static int
 +has_any_alg(const char *proposal, const char *algs)
 +{
 +	char *cp;
 +
 +	if ((cp = match_list(proposal, algs, NULL)) == NULL)
 +		return 0;
 +	free(cp);
 +	return 1;
 +}
 +
 /*
  * Concatenate algorithm names, avoiding duplicates in the process.
  * Caller must free returned string.
@@ -184,7 +196,7 @@
 char *
 kex_names_cat(const char *a, const char *b)
 {
 -	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
 +	char *ret = NULL, *tmp = NULL, *cp, *p;
 	size_t len;
 	if (a == NULL || *a == '\0')
@@ -201,10 +213,8 @@
 	}
 	strlcpy(ret, a, len);
 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
 -		if ((m = match_list(ret, p, NULL)) != NULL) {
 -			free(m);
 +		if (has_any_alg(ret, p))
 			continue; /* Algorithm already present */
 -		}
 		if (strlcat(ret, ",", len) >= len ||
 		    strlcat(ret, p, len) >= len) {
 			free(tmp);
@@ -334,15 +344,23 @@
 	const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT };
 	const char **defprop = ssh->kex->server ? defpropserver : defpropclient;
 	u_int i;
 +	char *cp;
 	if (prop == NULL)
 		fatal_f("proposal missing");
 +	/* Append EXT_INFO signalling to KexAlgorithms */
 +	if (kexalgos == NULL)
 +		kexalgos = defprop[PROPOSAL_KEX_ALGS];
 +	if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
 +	    "kex-strict-s-v00@openssh.com" :
 +	    "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
 +		fatal_f("kex_names_cat");
 +
 	for (i = 0; i < PROPOSAL_MAX; i++) {
 		switch(i) {
 		case PROPOSAL_KEX_ALGS:
 -			prop[i] = compat_kex_proposal(ssh,
 -			    kexalgos ? kexalgos : defprop[i]);
 +			prop[i] = compat_kex_proposal(ssh, cp);
 			break;
 		case PROPOSAL_ENC_ALGS_CTOS:
 		case PROPOSAL_ENC_ALGS_STOC:
@@ -363,6 +381,7 @@
 			prop[i] = xstrdup(defprop[i]);
 		}
 	}
 +	free(cp);
 }
 void
@@ -466,7 +485,12 @@
 {
 	int r;
 -	error("kex protocol error: type %d seq %u", type, seq);
 +	/* If in strict mode, any unexpected message is an error */
 +	if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
 +		ssh_packet_disconnect(ssh, "strict KEX violation: "
 +		    "unexpected packet type %u (seqnr %u)", type, seq);
 +	}
 +	error_f("type %u seq %u", type, seq);
 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
 	    (r = sshpkt_send(ssh)) != 0)
@@ -563,7 +587,7 @@
 	if (ninfo >= 1024) {
 		error("SSH2_MSG_EXT_INFO with too many entries, expected "
 		    "<=1024, received %u", ninfo);
 -		return SSH_ERR_INVALID_FORMAT;
 +		return dispatch_protocol_error(type, seq, ssh);
 	}
 	for (i = 0; i < ninfo; i++) {
 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
@@ -681,7 +705,7 @@
 		error_f("no kex");
 		return SSH_ERR_INTERNAL_ERROR;
 	}
 -	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
 +	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
 	ptr = sshpkt_ptr(ssh, &dlen);
 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
 		return r;
@@ -717,7 +741,7 @@
 	if (!(kex->flags & KEX_INIT_SENT))
 		if ((r = kex_send_kexinit(ssh)) != 0)
 			return r;
 -	if ((r = kex_choose_conf(ssh)) != 0)
 +	if ((r = kex_choose_conf(ssh, seq)) != 0)
 		return r;
 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
@@ -981,20 +1005,14 @@
 	return (1);
 }
 -/* returns non-zero if proposal contains any algorithm from algs */
 static int
 -has_any_alg(const char *proposal, const char *algs)
 +kexalgs_contains(char **peer, const char *ext)
 {
 -	char *cp;
 -
 -	if ((cp = match_list(proposal, algs, NULL)) == NULL)
 -		return 0;
 -	free(cp);
 -	return 1;
 +	return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
 }
 static int
 -kex_choose_conf(struct ssh *ssh)
 +kex_choose_conf(struct ssh *ssh, uint32_t seq)
 {
 	struct kex *kex = ssh->kex;
 	struct newkeys *newkeys;
@@ -1019,13 +1037,23 @@
 		sprop=peer;
 	}
 -	/* Check whether client supports ext_info_c */
 -	if (kex->server && (kex->flags & KEX_INITIAL)) {
 -		char *ext;
 -
 -		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
 -		kex->ext_info_c = (ext != NULL);
 -		free(ext);
 +	/* Check whether peer supports ext_info/kex_strict */
 +	if ((kex->flags & KEX_INITIAL) != 0) {
 +		if (kex->server) {
 +			kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
 +			kex->kex_strict = kexalgs_contains(peer,
 +			    "kex-strict-c-v00@openssh.com");
 +		} else {
 +			kex->kex_strict = kexalgs_contains(peer,
 +			    "kex-strict-s-v00@openssh.com");
 +		}
 +		if (kex->kex_strict) {
 +			debug3_f("will use strict KEX ordering");
 +			if (seq != 0)
 +				ssh_packet_disconnect(ssh,
 +				    "strict KEX violation: "
 +				    "KEXINIT was not the first packet");
 +		}
 	}
 	/* Check whether client supports rsa-sha2 algorithms */
 --- kex.h.orig
 +++ kex.h
@@ -149,6 +149,7 @@
 	u_int	kex_type;
 	char	*server_sig_algs;
 	int	ext_info_c;
 +	int	kex_strict;
 	struct sshbuf *my;
 	struct sshbuf *peer;
 	struct sshbuf *client_version;
 --- packet.c.orig
 +++ packet.c
@@ -1208,8 +1208,13 @@
 	sshbuf_dump(state->output, stderr);
 #endif
 	/* increment sequence number for outgoing packets */
 -	if (++state->p_send.seqnr == 0)
 +	if (++state->p_send.seqnr == 0) {
 +		if ((ssh->kex->flags & KEX_INITIAL) != 0) {
 +			ssh_packet_disconnect(ssh, "outgoing sequence number "
 +			    "wrapped during initial key exchange");
 +		}
 		logit("outgoing seqnr wraps around");
 +	}
 	if (++state->p_send.packets == 0)
 		if (!(ssh->compat & SSH_BUG_NOREKEY))
 			return SSH_ERR_NEED_REKEY;
@@ -1217,6 +1222,11 @@
 	state->p_send.bytes += len;
 	sshbuf_reset(state->outgoing_packet);
 +	if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
 +		debug_f("resetting send seqnr %u", state->p_send.seqnr);
 +		state->p_send.seqnr = 0;
 +	}
 +
 	if (type == SSH2_MSG_NEWKEYS)
 		r = ssh_set_newkeys(ssh, MODE_OUT);
 	else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
@@ -1345,8 +1355,7 @@
 	/* Stay in the loop until we have received a complete packet. */
 	for (;;) {
 		/* Try to read a packet from the buffer. */
 -		r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
 -		if (r != 0)
 +		if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
 			break;
 		/* If we got a packet, return it. */
 		if (*typep != SSH_MSG_NONE)
@@ -1417,29 +1426,6 @@
 	return type;
 }
 -/*
 - * Waits until a packet has been received, verifies that its type matches
 - * that given, and gives a fatal error and exits if there is a mismatch.
 - */
 -
 -int
 -ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)
 -{
 -	int r;
 -	u_char type;
 -
 -	if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
 -		return r;
 -	if (type != expected_type) {
 -		if ((r = sshpkt_disconnect(ssh,
 -		    "Protocol error: expected packet type %d, got %d",
 -		    expected_type, type)) != 0)
 -			return r;
 -		return SSH_ERR_PROTOCOL_ERROR;
 -	}
 -	return 0;
 -}
 -
 static int
 ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 {
@@ -1630,10 +1616,16 @@
 		if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
 			goto out;
 	}
 +
 	if (seqnr_p != NULL)
 		*seqnr_p = state->p_read.seqnr;
 -	if (++state->p_read.seqnr == 0)
 +	if (++state->p_read.seqnr == 0) {
 +		if ((ssh->kex->flags & KEX_INITIAL) != 0) {
 +			ssh_packet_disconnect(ssh, "incoming sequence number "
 +			    "wrapped during initial key exchange");
 +		}
 		logit("incoming seqnr wraps around");
 +	}
 	if (++state->p_read.packets == 0)
 		if (!(ssh->compat & SSH_BUG_NOREKEY))
 			return SSH_ERR_NEED_REKEY;
@@ -1699,6 +1691,10 @@
 #endif
 	/* reset for next packet */
 	state->packlen = 0;
 +	if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
 +		debug_f("resetting read seqnr %u", state->p_read.seqnr);
 +		state->p_read.seqnr = 0;
 +	}
 	if ((r = ssh_packet_check_rekey(ssh)) != 0)
 		return r;
@@ -1721,10 +1717,39 @@
 		r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
 		if (r != 0)
 			return r;
 -		if (*typep) {
 -			state->keep_alive_timeouts = 0;
 -			DBG(debug("received packet type %d", *typep));
 +		if (*typep == 0) {
 +			/* no message ready */
 +			return 0;
 		}
 +		state->keep_alive_timeouts = 0;
 +		DBG(debug("received packet type %d", *typep));
 +
 +		/* Always process disconnect messages */
 +		if (*typep == SSH2_MSG_DISCONNECT) {
 +			if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
 +			    (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
 +				return r;
 +			/* Ignore normal client exit notifications */
 +			do_log2(ssh->state->server_side &&
 +			    reason == SSH2_DISCONNECT_BY_APPLICATION ?
 +			    SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
 +			    "Received disconnect from %s port %d:"
 +			    "%u: %.400s", ssh_remote_ipaddr(ssh),
 +			    ssh_remote_port(ssh), reason, msg);
 +			free(msg);
 +			return SSH_ERR_DISCONNECTED;
 +		}
 +
 +		/*
 +		 * Do not implicitly handle any messages here during initial
 +		 * KEX when in strict mode. They will be need to be allowed
 +		 * explicitly by the KEX dispatch table or they will generate
 +		 * protocol errors.
 +		 */
 +		if (ssh->kex != NULL &&
 +		    (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
 +			return 0;
 +		/* Implicitly handle transport-level messages */
 		switch (*typep) {
 		case SSH2_MSG_IGNORE:
 			debug3("Received SSH2_MSG_IGNORE");
@@ -1739,19 +1764,6 @@
 			debug("Remote: %.900s", msg);
 			free(msg);
 			break;
 -		case SSH2_MSG_DISCONNECT:
 -			if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
 -			    (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
 -				return r;
 -			/* Ignore normal client exit notifications */
 -			do_log2(ssh->state->server_side &&
 -			    reason == SSH2_DISCONNECT_BY_APPLICATION ?
 -			    SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
 -			    "Received disconnect from %s port %d:"
 -			    "%u: %.400s", ssh_remote_ipaddr(ssh),
 -			    ssh_remote_port(ssh), reason, msg);
 -			free(msg);
 -			return SSH_ERR_DISCONNECTED;
 		case SSH2_MSG_UNIMPLEMENTED:
 			if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
 				return r;
@@ -2244,6 +2256,7 @@
 	    (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
 	    (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
 	    (r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
 +	    (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
 	    (r = sshbuf_put_stringb(m, kex->my)) != 0 ||
 	    (r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
 	    (r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
@@ -2406,6 +2419,7 @@
 	    (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
 	    (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
 	    (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
 +	    (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
 	    (r = sshbuf_get_stringb(m, kex->my)) != 0 ||
 	    (r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
 	    (r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
@@ -2734,6 +2748,7 @@
 	vsnprintf(buf, sizeof(buf), fmt, args);
 	va_end(args);
 +	debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);
 	if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
 	    (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
 	    (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
 --- packet.h.orig
 +++ packet.h
@@ -124,7 +124,6 @@
 int	 ssh_packet_send2(struct ssh *);
 int      ssh_packet_read(struct ssh *);
 -int	 ssh_packet_read_expect(struct ssh *, u_int type);
 int      ssh_packet_read_poll(struct ssh *);
 int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
 int	 ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
 --- sshconnect2.c.orig
 +++ sshconnect2.c
@@ -358,7 +358,6 @@
 };
 static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
 -static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
 static int input_userauth_success(int, u_int32_t, struct ssh *);
 static int input_userauth_failure(int, u_int32_t, struct ssh *);
 static int input_userauth_banner(int, u_int32_t, struct ssh *);
@@ -472,7 +471,7 @@
 	ssh->authctxt = &authctxt;
 	ssh_dispatch_init(ssh, &input_userauth_error);
 -	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
 +	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
 	ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
 	ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success);	/* loop until success */
 	pubkey_cleanup(ssh);
@@ -523,12 +522,6 @@
 	return r;
 }
 -static int
 -input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
 -{
 -	return kex_input_ext_info(type, seqnr, ssh);
 -}
 -
 void
 userauth(struct ssh *ssh, char *authlist)
 {
@@ -607,6 +600,7 @@
 	free(authctxt->methoddata);
 	authctxt->methoddata = NULL;
 	authctxt->success = 1;			/* break out */
 +	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
 	return 0;
 }
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@ -0,0 +1,47 @@
 --- UTC
 r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
 Changed paths:
   M /head/crypto/openssh/auth2.c
 Apply class-imposed login restrictions.
 --- auth2.c.orig	2020-09-27 00:25:01.000000000 -0700
 +++ auth2.c	2020-11-16 13:55:25.222771000 -0800
@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
 	int r, authenticated = 0;
 	double tstart = monotime_double();
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
 +	const char *from_host, *from_ip;
 +#endif
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
 		    "not allowed: (%s,%s) -> (%s,%s)",
 		    authctxt->user, authctxt->service, user, service);
 	}
 +
 +#ifdef HAVE_LOGIN_CAP
 +	if (authctxt->pw != NULL &&
 +	    (lc = login_getpwclass(authctxt->pw)) != NULL) {
 +		from_host = auth_get_canonical_hostname(ssh, options.use_dns);
 +		from_ip = ssh_remote_ipaddr(ssh);
 +		if (!auth_hostok(lc, from_host, from_ip)) {
 +			logit("Denied connection for %.200s from %.200s [%.200s].",
 +			    authctxt->pw->pw_name, from_host, from_ip);
 +			ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
 +		}
 +		if (!auth_timeok(lc, time(NULL))) {
 +			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
 +			    authctxt->pw->pw_name, from_host);
 +			ssh_packet_disconnect(ssh, "Logins not available right now.");
 +		}
 +		login_close(lc);
 +	}
 +#endif  /* HAVE_LOGIN_CAP */
 +
 	/* reset state */
 	auth2_challenge_stop(ssh);
--- a/security/openssh-portable/files/patch-log.c
+++ b/security/openssh-portable/files/patch-log.c
@ -1,17 +0,0 @@
 --- log.c.orig	2023-07-19 08:31:34.000000000 +0200
 +++ log.c	2024-10-07 17:44:12.049091000 +0200
@@ -451,12 +451,14 @@
 sshsigdie(const char *file, const char *func, int line, int showfunc,
     LogLevel level, const char *suffix, const char *fmt, ...)
 {
 +#ifdef SYSLOG_R_SAFE_IN_SIGHAND
 	va_list args;
 	va_start(args, fmt);
 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
 	    suffix, fmt, args);
 	va_end(args);
 +#endif
 	_exit(1);
 }
--- a/security/openssh-portable/files/patch-platform-tracing.c
+++ b/security/openssh-portable/files/patch-platform-tracing.c
@ -0,0 +1,25 @@
 --- platform-tracing.c.orig	2021-09-26 07:03:19.000000000 -0700
 +++ platform-tracing.c	2021-10-15 10:08:20.537813000 -0700
@@ -16,6 +16,10 @@
 #include "includes.h"
 +#if defined(HAVE_PROCCTL)
 +#include <string.h>
 +#include <unistd.h>
 +#endif
 #include <sys/types.h>
 #ifdef HAVE_SYS_PROCCTL_H
 #include <sys/procctl.h>
@@ -40,8 +44,9 @@ platform_disable_tracing(int strict)
 	/* On FreeBSD, we should make this process untraceable */
 	int disable_trace = PROC_TRACE_CTL_DISABLE;
 -	if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
 -		fatal("unable to make the process untraceable");
 +	if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
 +		fatal("unable to make the process untraceable: %s for pid %d",
 +		    strerror(errno), (int)getpid());
 #endif
 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
 	/* Disable ptrace on Linux without sgid bit */
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
--- ssh-agent.c.orig	2023-02-02 04:21:54.000000000 -0800
+--- ssh-agent.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ ssh-agent.c	2023-02-03 10:55:34.277561000 -0800
+++ ssh-agent.c	2021-04-27 11:47:59.362589000 -0700
-@@ -188,11 +188,28 @@ static int restrict_websafe = 1;
+@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
 /* Refuse signing of non-SSH messages for web-origin FIDO keys */
 static int restrict_websafe = 1;
@ -27,19 +27,17 @@ disconnected.
 static void
 close_socket(SocketEntry *e)
 {
 	size_t i;
 +	int last = 0;
- 
+
 +	if (e->type == AUTH_CONNECTION) {
 +		debug("xcount %d -> %d", xcount, xcount - 1);
 +		if (--xcount == 0)
 +			last = 1;
 +	}
 +
 	close(e->fd);
 	sshbuf_free(e->input);
 	sshbuf_free(e->output);
-@@ -205,6 +222,8 @@ close_socket(SocketEntry *e)
+@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
 	memset(e, '\0', sizeof(*e));
 	e->fd = -1;
 	e->type = AUTH_UNUSED;
@ -48,7 +46,7 @@ disconnected.
 }
 static void
-@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd)
+@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
 	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
 	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@ -59,16 +57,16 @@ disconnected.
 	set_nonblock(fd);
 	if (fd > max_fd)
-@@ -1990,7 +2013,7 @@ usage(void)
+@@ -1360,7 +1383,7 @@ static void
 usage(void)
 {
 	fprintf(stderr,
 -	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
 +	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
- 	    "                 [-O option] [-P allowed_providers] [-t life]\n"
+ 	    "                 [-P allowed_providers] [-t life]\n"
- 	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
+ 	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
- 	    "                 [-P allowed_providers] [-t life] command [arg ...]\n"
+ 	    "                 [-t life] command [arg ...]\n"
-@@ -2024,6 +2047,7 @@ main(int ac, char **av)
+@@ -1394,6 +1417,7 @@ main(int ac, char **av)
 	/* drop */
 	setegid(getgid());
 	setgid(getgid());
@ -76,7 +74,7 @@ disconnected.
 	platform_disable_tracing(0);	/* strict=no */
-@@ -2035,7 +2059,7 @@ main(int ac, char **av)
+@@ -1405,7 +1429,7 @@ main(int ac, char **av)
 	__progname = ssh_get_progname(av[0]);
 	seed_rng();
@ -85,7 +83,7 @@ disconnected.
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -2084,6 +2108,9 @@ main(int ac, char **av)
+@@ -1454,6 +1478,9 @@ main(int ac, char **av)
 				fprintf(stderr, "Invalid lifetime\n");
 				usage();
 			}
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@ -1,8 +1,5 @@
-!!!
+--- sshd_config.orig	2021-08-19 21:03:49.000000000 -0700
-!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option.
+++ sshd_config	2021-09-07 12:34:49.372652000 -0700
 !!!
 --- sshd_config.orig	2022-02-11 18:49:55.062881000 +0000
 +++ sshd_config	2022-02-11 18:52:31.639435000 +0000
@@ -10,6 +10,9 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
@ -23,7 +20,33 @@
 #AuthorizedPrincipalsFile none
-@@ -84,7 +86,7 @@
+@@ -53,8 +55,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 -# To disable tunneled clear text passwords, change to no here!
 -#PasswordAuthentication yes
 +# To enable tunneled clear text passwords, change to yes here!
 +#PasswordAuthentication no
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
@@ -70,7 +72,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 -# Set this to 'yes' to enable PAM authentication, account processing,
 +# Set this to 'no' to disable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
@@ -79,12 +81,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
 -#UsePAM no
 +#UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@ -1,8 +1,8 @@
--- sshd_config.5.orig	2022-02-11 18:50:00.822679000 +0000
+--- sshd_config.5.orig	2017-03-19 19:39:27.000000000 -0700
-+++ sshd_config.5	2022-02-11 19:09:05.162504000 +0000
+++ sshd_config.5	2017-03-20 11:48:37.553620000 -0700
-@@ -701,7 +701,9 @@
+@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
- .Qq ssh -Q HostbasedAcceptedAlgorithms .
+ The list of available key types may also be obtained using
- This was formerly named HostbasedAcceptedKeyTypes.
+ .Qq ssh -Q key .
 .It Cm HostbasedAuthentication
 -Specifies whether rhosts or /etc/hosts.equiv authentication together
 +Specifies whether rhosts or
@ -11,7 +11,7 @@
 with successful public key client host authentication is allowed
 (host-based authentication).
 The default is
-@@ -1277,7 +1279,23 @@
+@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
@ -20,7 +20,6 @@
 +.Nm sshd
 +was built without PAM support, in which case the default is
 .Cm yes .
 +.Pp
 +Note that if
 +.Cm ChallengeResponseAuthentication
 +is
@ -35,7 +34,7 @@
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
-@@ -1416,6 +1434,13 @@
+@@ -1232,6 +1251,13 @@ and
 .Cm ethernet .
 The default is
 .Cm no .
@ -49,15 +48,12 @@
 .Pp
 Independent of this setting, the permissions of the selected
 .Xr tun 4
-@@ -1774,12 +1799,19 @@
+@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
 .Xr sshd 8
 as a non-root user.
 The default is
-+.Cm yes ,
+-.Cm no .
-+unless
+.Cm yes .
 +.Nm sshd
 +was built without PAM support, in which case the default is
 .Cm no .
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
@ -70,7 +66,7 @@
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's
-@@ -1793,7 +1825,7 @@
+@@ -1512,7 +1541,7 @@ The argument must be
 or
 .Cm no .
 The default is
--- a/security/openssh-portable/files/patch-version.h
+++ b/security/openssh-portable/files/patch-version.h
@ -1,9 +0,0 @@
 --- version.h.orig	2024-10-07 17:49:30.883030000 +0200
 +++ version.h	2024-10-07 17:49:42.221944000 +0200
@@ -2,5 +2,5 @@
 #define SSH_VERSION	"OpenSSH_9.3"
 -#define SSH_PORTABLE	"p2"
 +#define SSH_PORTABLE	"klara-p2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--- a/security/openssh-portable/pkg-descr
+++ b/security/openssh-portable/pkg-descr
@ -11,3 +11,5 @@ The portable OpenSSH follows development of the official version, but releases
 are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
 The official OpenBSD source will never use the 'p' suffix, but will instead
 increment the version number when they hit 'stable spots' in their development.
 WWW: https://www.openssh.com/portable.html