Update openssh 9.0

security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c

@@ -0,0 +1,19 @@
+--- auth2-gss.c.orig	2022-03-03 10:56:35.668672000 -0800
++++ auth2-gss.c	2022-03-03 11:03:16.048838000 -0800
+@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct 
+  * The 'gssapi_keyex' userauth mechanism.
+  */
+ static int
+-userauth_gsskeyex(struct ssh *ssh)
++userauth_gsskeyex(struct ssh *ssh, const char *method)
+ {
+ 	Authctxt *authctxt = ssh->authctxt;
+ 	int r, authenticated = 0;
+@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh 
+ 
+ Authmethod method_gsskeyex = {
+ 	"gssapi-keyex",
++	NULL,
+ 	userauth_gsskeyex,
+ 	&options.gss_authentication
+ };

security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c

@@ -1,12 +0,0 @@
-Avoid free(const char*)
---- sshconnect2.c.orig	2020-11-19 14:56:54.387846000 -0800
-+++ sshconnect2.c	2020-11-19 14:57:04.445045000 -0800
-@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh)
- 		/* Fall back to specified host if we are using proxy command
- 		 * and can not use DNS on that socket */
- 		if (strcmp(gss_host, "UNKNOWN") == 0) {
--			gss_host = authctxt->host;
-+			gss_host = xstrdup(authctxt->host);
- 		}
- 	} else {
- 		gss_host = xstrdup(authctxt->host);

security/openssh-portable/files/extra-patch-hpn

@@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  			free(cipher_list);
  			return 0;
  		}
---- work/openssh-7.7p1/clientloop.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/clientloop.c	2018-06-27 16:40:24.560906000 -0700
-@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+--- work/openssh/clientloop.c.orig	2022-02-23 03:31:11.000000000 -0800
++++ work/openssh/clientloop.c	2022-03-02 12:53:47.624273000 -0800
+@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
  	sock = x11_connect_display(ssh);
  	if (sock < 0)
  		return NULL;
@@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	c = channel_new(ssh, "x11",
  	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
  	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
- 			    __func__, ssh_err(r));
- 		return NULL;
- 	}
+@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
+ 	else
+ 		debug2_fr(r, "ssh_agent_bind_hostkey");
+ 
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
 +		c = channel_new(ssh, "authentication agent connection",
@@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	c = channel_new(ssh, "authentication agent connection",
  	    SSH_CHANNEL_OPEN, sock, sock, -1,
  	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
  	}
  	debug("Tunnel forwarding using interface %s", ifname);
  

security/openssh-portable/files/extra-patch-pam-sshd_config

@@ -0,0 +1,31 @@
+--- sshd_config.nopam	2022-02-11 19:19:59.515475000 +0000
++++ sshd_config	2022-02-11 19:20:45.334738000 +0000
+@@ -55,8 +55,8 @@
+ # Don't read the user's ~/.rhosts and ~/.shosts files
+ #IgnoreRhosts yes
+ 
+-# To disable tunneled clear text passwords, change to no here!
+-#PasswordAuthentication yes
++# To enable tunneled clear text passwords, change to yes here!
++#PasswordAuthentication no
+ #PermitEmptyPasswords no
+ 
+ # Change to no to disable s/key passwords
+@@ -72,7 +72,7 @@
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
+ 
+-# Set this to 'yes' to enable PAM authentication, account processing,
++# Set this to 'no' to disable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+ # be allowed through the KbdInteractiveAuthentication and
+ # PasswordAuthentication.  Depending on your PAM configuration,
+@@ -81,7 +81,7 @@
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and KbdInteractiveAuthentication to 'no'.
+-#UsePAM no
++#UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes

security/openssh-portable/files/extra-patch-tcpwrappers

@@ -83,11 +83,9 @@ index 0ade557..045f149 100644
  
  	/* Log the connection. */
  	laddr = get_local_ipaddr(sock_in);
-diff --git configure.ac configure.ac
-index f48ba4a..66fbe82 100644
---- configure.ac.orig	2019-04-17 15:52:57.000000000 -0700
-+++ configure.ac	2019-07-02 20:58:48.627832000 -0700
-@@ -1494,6 +1494,62 @@ else
+--- configure.ac.orig	2022-02-23 03:31:11.000000000 -0800
++++ configure.ac	2022-03-02 12:47:49.958341000 -0800
+@@ -1599,6 +1599,62 @@ else
  	AC_MSG_RESULT([no])
  fi
  
@@ -150,11 +148,11 @@ index f48ba4a..66fbe82 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -5245,6 +5301,7 @@ echo "                       PAM support: $PAM_MSG"
+@@ -5593,6 +5649,7 @@ echo "                       PAM support: $PAM_MSG"
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
- echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "                   libldns support: $LDNS_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"

security/openssh-portable/files/openssh.in

@@ -22,6 +22,16 @@ load_rc_config ${name}
 : ${openssh_enable:="NO"}
 : ${openssh_skipportscheck="NO"}
 
+# These only control ssh-keygen automatically generating host keys.
+: ${openssh_dsa_enable="YES"}
+: ${openssh_dsa_flags=""}
+: ${openssh_rsa_enable="YES"}
+: ${openssh_rsa_flags=""}
+: ${openssh_ecdsa_enable="YES"}
+: ${openssh_ecdsa_flags=""}
+: ${openssh_ed25519_enable="YES"}
+: ${openssh_ed25519_flags=""}
+
 command=%%PREFIX%%/sbin/sshd
 extra_commands="configtest reload keygen"
 start_precmd="${name}_checks"
@@ -33,10 +43,16 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
 
 openssh_keygen()
 {
-	if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
-	    -f %%ETCDIR%%/ssh_host_rsa_key -a \
-	    -f %%ETCDIR%%/ssh_host_ecdsa_key -a \
-	    -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
+	local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
+	checkyesno openssh_dsa_enable || skip_dsa=y
+	checkyesno openssh_rsa_enable || skip_rsa=y
+	checkyesno openssh_ecdsa_enable || skip_ecdsa=y
+	checkyesno openssh_ed25519_enable || skip_ed25519=y
+
+	if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
+	    \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
+	    \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
+	    \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
 		return 0
 	fi
 
@@ -50,8 +66,8 @@ openssh_keygen()
 		echo "You already have a DSA host key" \
 			"in %%ETCDIR%%/ssh_host_dsa_key"
 		echo "Skipping protocol version 2 DSA Key Generation"
-	else
-		%%PREFIX%%/bin/ssh-keygen -t dsa \
+	elif checkyesno openssh_dsa_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \
 			-f %%ETCDIR%%/ssh_host_dsa_key -N ''
 	fi
 
@@ -59,8 +75,8 @@ openssh_keygen()
 		echo "You already have a RSA host key" \
 			"in %%ETCDIR%%/ssh_host_rsa_key"
 		echo "Skipping protocol version 2 RSA Key Generation"
-	else
-		%%PREFIX%%/bin/ssh-keygen -t rsa \
+	elif checkyesno openssh_rsa_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \
 			-f %%ETCDIR%%/ssh_host_rsa_key -N ''
 	fi
 
@@ -68,8 +84,8 @@ openssh_keygen()
 		echo "You already have a Elliptic Curve DSA host key" \
 			"in %%ETCDIR%%/ssh_host_ecdsa_key"
 		echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
-	else
-		%%PREFIX%%/bin/ssh-keygen -t ecdsa \
+	elif checkyesno openssh_ecdsa_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \
 			-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
 	fi
 
@@ -77,8 +93,8 @@ openssh_keygen()
 		echo "You already have a Elliptic Curve ED25519 host key" \
 			"in %%ETCDIR%%/ssh_host_ed25519_key"
 		echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
-	else
-		%%PREFIX%%/bin/ssh-keygen -t ed25519 \
+	elif checkyesno openssh_ed25519_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \
 			-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
 	fi
 }
@@ -156,7 +172,7 @@ openssh_checks()
       fi
 	fi
 
-	run_rc_command keygen
+	openssh_keygen
 	openssh_configtest
 }
 

security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata

@@ -0,0 +1,43 @@
+commit fc3c19a9fceeea48a9259ac3833a125804342c0e
+Author: Ed Maste <emaste@FreeBSD.org>
+Date:   Sat Oct 6 21:32:55 2018 +0000
+
+    sshd: address capsicum issues
+    
+    * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
+      capability mode.
+    * Cache timezone data via caph_cache_tzdata() as we cannot access the
+      timezone file.
+    * Reverse resolve hostname before entering capability mode.
+    
+    PR:             231172
+    Submitted by:   naito.yuichiro@gmail.com
+    Reviewed by:    cem, des
+    Approved by:    re (rgrimes)
+    MFC after:      3 weeks
+    Differential Revision:  https://reviews.freebsd.org/D17128
+
+Notes:
+    svn path=/head/; revision=339216
+
+diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
+index 5f41d526292b..f728abd18250 100644
+--- sandbox-capsicum.c
++++ sandbox-capsicum.c
+@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <capsicum_helpers.h>
+ 
+ #include "log.h"
+ #include "monitor.h"
+@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
+ 	struct rlimit rl_zero;
+ 	cap_rights_t rights;
+ 
++	caph_cache_tzdata();
++
+ 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+ 
+ 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

security/openssh-portable/files/patch-FreeBSD-logincap

@@ -0,0 +1,69 @@
+(pulled from the PR)
+
+commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8
+Author: Ed Maste <emaste@FreeBSD.org>
+Date:   Tue Aug 31 15:30:50 2021 -0400
+
+    openssh: simplify login class restrictions
+
+    Login class-based restrictions were introduced in 5b400a39b8ad.  The
+    code was adapted for sshd's Capsicum sandbox and received many changes
+    over time, including at least fc3c19a9fcee, bd393de91cc3, and
+    e8c56fba2926.
+
+    During an attempt to upstream the work a much simpler approach was
+    suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
+    future updates.
+
+    Submitted by:   Yuchiro Naito (against OpenSSH-portable on GitHub)
+    Obtained from:  https://github.com/openssh/openssh-portable/pull/262
+    Reviewed by:    allanjude, kevans
+    MFC after:      2 weeks
+    Differential Revision:  https://reviews.freebsd.org/D31760
+
+
+--- auth.c
++++ auth.c
+@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
+ {
+ #ifdef HAVE_LOGIN_CAP
+ 	extern login_cap_t *lc;
++#ifdef HAVE_AUTH_HOSTOK
++	const char *from_host, *from_ip;
++#endif
+ #ifdef BSD_AUTH
+ 	auth_session_t *as;
+ #endif
+@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
+ 		debug("unable to get login class: %s", user);
+ 		return (NULL);
+ 	}
++#ifdef HAVE_AUTH_HOSTOK
++	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
++	from_ip = ssh_remote_ipaddr(ssh);
++	if (!auth_hostok(lc, from_host, from_ip)) {
++		debug("Denied connection for %.200s from %.200s [%.200s].",
++		      pw->pw_name, from_host, from_ip);
++		return (NULL);
++	}
++#endif /* HAVE_AUTH_HOSTOK */
++#ifdef HAVE_AUTH_TIMEOK
++	if (!auth_timeok(lc, time(NULL))) {
++		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
++		return (NULL);
++	}
++#endif /* HAVE_AUTH_TIMEOK */
+ #ifdef BSD_AUTH
+ 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+ 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
+--- configure.ac
++++ configure.ac
+@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG])
+ 
+ dnl    Checks for library functions. Please keep in alphabetical order
+ AC_CHECK_FUNCS([ \
++	auth_hostok \
++	auth_timeok \
+ 	Blowfish_initstate \
+ 	Blowfish_expandstate \
+ 	Blowfish_expand0state \

security/openssh-portable/files/patch-auth2.c

@@ -1,47 +0,0 @@
---- UTC
-r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
-   M /head/crypto/openssh/auth2.c
-
-Apply class-imposed login restrictions.
-
---- auth2.c.orig	2020-09-27 00:25:01.000000000 -0700
-+++ auth2.c	2020-11-16 13:55:25.222771000 -0800
-@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
- 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
- 	int r, authenticated = 0;
- 	double tstart = monotime_double();
-+#ifdef HAVE_LOGIN_CAP
-+	login_cap_t *lc;
-+	const char *from_host, *from_ip;
-+#endif
- 
- 	if (authctxt == NULL)
- 		fatal("input_userauth_request: no authctxt");
-@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
- 		    "not allowed: (%s,%s) -> (%s,%s)",
- 		    authctxt->user, authctxt->service, user, service);
- 	}
-+
-+#ifdef HAVE_LOGIN_CAP
-+	if (authctxt->pw != NULL &&
-+	    (lc = login_getpwclass(authctxt->pw)) != NULL) {
-+		from_host = auth_get_canonical_hostname(ssh, options.use_dns);
-+		from_ip = ssh_remote_ipaddr(ssh);
-+		if (!auth_hostok(lc, from_host, from_ip)) {
-+			logit("Denied connection for %.200s from %.200s [%.200s].",
-+			    authctxt->pw->pw_name, from_host, from_ip);
-+			ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
-+		}
-+		if (!auth_timeok(lc, time(NULL))) {
-+			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+			    authctxt->pw->pw_name, from_host);
-+			ssh_packet_disconnect(ssh, "Logins not available right now.");
-+		}
-+		login_close(lc);
-+	}
-+#endif  /* HAVE_LOGIN_CAP */
-+
- 	/* reset state */
- 	auth2_challenge_stop(ssh);
- 

security/openssh-portable/files/patch-platform-tracing.c

@@ -1,25 +1,21 @@
---- platform-tracing.c.orig	2021-09-26 07:03:19.000000000 -0700
-+++ platform-tracing.c	2021-10-15 10:08:20.537813000 -0700
-@@ -16,6 +16,10 @@
- 
- #include "includes.h"
- 
+--- platform-tracing.c.orig	2022-03-07 14:48:27.152541000 -0800
++++ platform-tracing.c	2022-03-07 14:56:33.402458000 -0800
+@@ -32,6 +32,9 @@
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <string.h>
 +#if defined(HAVE_PROCCTL)
-+#include <string.h>
 +#include <unistd.h>
 +#endif
- #include <sys/types.h>
- #ifdef HAVE_SYS_PROCCTL_H
- #include <sys/procctl.h>
-@@ -40,8 +44,9 @@ platform_disable_tracing(int strict)
+ 
+ #include "log.h"
+ 
+@@ -42,7 +45,7 @@ platform_disable_tracing(int strict)
  	/* On FreeBSD, we should make this process untraceable */
  	int disable_trace = PROC_TRACE_CTL_DISABLE;
  
 -	if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
--		fatal("unable to make the process untraceable");
 +	if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
-+		fatal("unable to make the process untraceable: %s for pid %d",
-+		    strerror(errno), (int)getpid());
+ 		fatal("unable to make the process untraceable: %s",
+ 		    strerror(errno));
  #endif
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- 	/* Disable ptrace on Linux without sgid bit */

security/openssh-portable/files/patch-ssh-agent.c

@@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ ssh-agent.c	2021-04-27 11:47:59.362589000 -0700
-@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+--- ssh-agent.c.orig	2022-02-23 03:31:11.000000000 -0800
++++ ssh-agent.c	2022-03-02 12:50:47.745853000 -0800
+@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
  /* Refuse signing of non-SSH messages for web-origin FIDO keys */
  static int restrict_websafe = 1;
  
@@ -27,17 +27,19 @@ disconnected.
  static void
  close_socket(SocketEntry *e)
  {
+ 	size_t i;
 +	int last = 0;
-+
+ 
 +	if (e->type == AUTH_CONNECTION) {
 +		debug("xcount %d -> %d", xcount, xcount - 1);
 +		if (--xcount == 0)
 +			last = 1;
 +	}
++
  	close(e->fd);
  	sshbuf_free(e->input);
  	sshbuf_free(e->output);
-@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
+@@ -206,6 +223,8 @@ close_socket(SocketEntry *e)
  	memset(e, '\0', sizeof(*e));
  	e->fd = -1;
  	e->type = AUTH_UNUSED;
@@ -46,7 +48,7 @@ disconnected.
  }
  
  static void
-@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
+@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd)
  
  	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
  	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@@ -57,7 +59,7 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1360,7 +1383,7 @@ static void
+@@ -1999,7 +2022,7 @@ static void
  usage(void)
  {
  	fprintf(stderr,
@@ -66,7 +68,7 @@ disconnected.
  	    "                 [-P allowed_providers] [-t life]\n"
  	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
  	    "                 [-t life] command [arg ...]\n"
-@@ -1394,6 +1417,7 @@ main(int ac, char **av)
+@@ -2033,6 +2056,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -74,7 +76,7 @@ disconnected.
  
  	platform_disable_tracing(0);	/* strict=no */
  
-@@ -1405,7 +1429,7 @@ main(int ac, char **av)
+@@ -2044,7 +2068,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
@@ -83,7 +85,7 @@ disconnected.
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1454,6 +1478,9 @@ main(int ac, char **av)
+@@ -2093,6 +2117,9 @@ main(int ac, char **av)
  				fprintf(stderr, "Invalid lifetime\n");
  				usage();
  			}

security/openssh-portable/files/patch-sshd_config

@@ -1,5 +1,8 @@
---- sshd_config.orig	2021-08-19 21:03:49.000000000 -0700
-+++ sshd_config	2021-09-07 12:34:49.372652000 -0700
+!!!
+!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option.
+!!!
+--- sshd_config.orig	2022-02-11 18:49:55.062881000 +0000
++++ sshd_config	2022-02-11 18:52:31.639435000 +0000
 @@ -10,6 +10,9 @@
  # possible, but leave them commented.  Uncommented options override the
  # default value.
@@ -20,33 +23,7 @@
  
  #AuthorizedPrincipalsFile none
  
-@@ -53,8 +55,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
- # Don't read the user's ~/.rhosts and ~/.shosts files
- #IgnoreRhosts yes
- 
--# To disable tunneled clear text passwords, change to no here!
--#PasswordAuthentication yes
-+# To enable tunneled clear text passwords, change to yes here!
-+#PasswordAuthentication no
- #PermitEmptyPasswords no
- 
- # Change to no to disable s/key passwords
-@@ -70,7 +72,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
- 
--# Set this to 'yes' to enable PAM authentication, account processing,
-+# Set this to 'no' to disable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
- # be allowed through the KbdInteractiveAuthentication and
- # PasswordAuthentication.  Depending on your PAM configuration,
-@@ -79,12 +81,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
- # If you just want the PAM account and session checks to run without
- # PAM authentication, then enable this but set PasswordAuthentication
- # and KbdInteractiveAuthentication to 'no'.
--#UsePAM no
-+#UsePAM yes
- 
+@@ -84,7 +86,7 @@
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no

security/openssh-portable/files/patch-sshd_config.5

@@ -1,8 +1,8 @@
---- sshd_config.5.orig	2017-03-19 19:39:27.000000000 -0700
-+++ sshd_config.5	2017-03-20 11:48:37.553620000 -0700
-@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
- The list of available key types may also be obtained using
- .Qq ssh -Q key .
+--- sshd_config.5.orig	2022-02-11 18:50:00.822679000 +0000
++++ sshd_config.5	2022-02-11 19:09:05.162504000 +0000
+@@ -701,7 +701,9 @@
+ .Qq ssh -Q HostbasedAcceptedAlgorithms .
+ This was formerly named HostbasedAcceptedKeyTypes.
  .It Cm HostbasedAuthentication
 -Specifies whether rhosts or /etc/hosts.equiv authentication together
 +Specifies whether rhosts or
@@ -11,7 +11,7 @@
  with successful public key client host authentication is allowed
  (host-based authentication).
  The default is
-@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
+@@ -1277,7 +1279,23 @@
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
@@ -20,6 +20,7 @@
 +.Nm sshd
 +was built without PAM support, in which case the default is
  .Cm yes .
++.Pp
 +Note that if
 +.Cm ChallengeResponseAuthentication
 +is
@@ -34,7 +35,7 @@
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
-@@ -1232,6 +1251,13 @@ and
+@@ -1416,6 +1434,13 @@
  .Cm ethernet .
  The default is
  .Cm no .
@@ -48,12 +49,15 @@
  .Pp
  Independent of this setting, the permissions of the selected
  .Xr tun 4
-@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
+@@ -1774,12 +1799,19 @@
  .Xr sshd 8
  as a non-root user.
  The default is
--.Cm no .
-+.Cm yes .
++.Cm yes ,
++unless
++.Nm sshd
++was built without PAM support, in which case the default is
+ .Cm no .
  .It Cm VersionAddendum
  Optionally specifies additional text to append to the SSH protocol banner
  sent by the server upon connection.
@@ -66,7 +70,7 @@
  .It Cm X11DisplayOffset
  Specifies the first display number available for
  .Xr sshd 8 Ns 's
-@@ -1512,7 +1541,7 @@ The argument must be
+@@ -1793,7 +1825,7 @@
  or
  .Cm no .
  The default is