9.3

Oups
Update
2024-10-08 15:12:26 +02:00 · 2024-10-08 15:11:57 +02:00 · 2024-10-08 15:07:11 +02:00 · 2024-10-08 15:05:03 +02:00 · 2024-10-08 14:46:14 +02:00 · 2024-10-08 14:40:51 +02:00
25 changed files with 503 additions and 469 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -1,25 +1,23 @@
 # Created by: dwcjr@inethouston.net
 # $FreeBSD$
 PORTNAME=	openssh
-DISTVERSION=	8.4p1
+DISTVERSION=	9.3p2
-PORTREVISION=	3
+PORTREVISION=	1
-PORTEPOCH=	1
+PORTEPOCH=	3
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
 PKGNAMESUFFIX?=	-portable
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 WWW=		https://www.openssh.com/portable.html
 LICENSE=	OPENSSH
 LICENSE_NAME=	OpenSSH Licenses
 LICENSE_FILE=	${WRKSRC}/LICENCE
 LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
-CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-*
+CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel
-USES=			alias autoreconf compiler:c11 localbase ncurses \
+USES=			alias autoreconf compiler:c11 cpe localbase ncurses \
 			pkgconfig ssl
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS=		--prefix=${PREFIX} \
@ -29,6 +27,8 @@ CONFIGURE_ARGS=		--prefix=${PREFIX} \
 ETCOLD=			${PREFIX}/etc
 CPE_VENDOR=		openbsd
 FLAVORS=			default hpn gssapi
 default_CONFLICTS_INSTALL=	openssh-portable-hpn openssh-portable-gssapi \
 				openssh-portable-x509
@ -66,6 +66,8 @@ BLACKLISTD_DESC=	FreeBSD blacklistd(8) support
 OPTIONS_SUB=		yes
 PAM_EXTRA_PATCHES=	${FILESDIR}/extra-patch-pam-sshd_config
 TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
 LDNS_CONFIGURE_WITH=	ldns=${LOCALBASE}
@ -88,8 +90,6 @@ BSM_CONFIGURE_ON=	--with-audit=bsm
 FIDO_U2F_LIB_DEPENDS=	libfido2.so:security/libfido2
 FIDO_U2F_CONFIGURE_ON=	--with-security-key-builtin
 FIDO_U2F_CONFIGURE_OFF=	--disable-security-key
 # Until https://reviews.freebsd.org/D27289 is committed
 FIDO_U2F_EXTRA_PATCHES=	${FILESDIR}/extra-patch-libfido2-configure.ac
 BLACKLISTD_EXTRA_PATCHES=	${FILESDIR}/extra-patch-blacklistd
@ -100,7 +100,7 @@ ETCDIR?=		${PREFIX}/etc/ssh
 PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 # Must add this patch before HPN due to conflicts
-.if ${PORT_OPTIONS:MKERB_GSSAPI}
+.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
 #BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
@ -108,14 +108,15 @@ EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
-GSSAPI_DEBIAN_SUBDIR=	${DISTVERSION}-2
+GSSAPI_DEBIAN_VERSION=	9.4p1
 GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
-GSSAPI_UPDATE_DATE=	20200607
+GSSAPI_DISTVERSION=	9.4p1
-PATCHFILES+=	openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
+PATCHFILES+=	openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex
-EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-sshconnect2.c
+EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-auth2-gss.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
 .endif
@ -190,10 +191,15 @@ VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
 CFLAGS+=	${CFLAGS_${CHOSEN_COMPILER_TYPE}}
 CFLAGS_gcc=	-Wno-stringop-truncation -Wno-stringop-overflow
 SSH_ASKPASS_PATH?=	${LOCALBASE}/bin/ssh-askpass
 post-patch:
 	@${REINPLACE_CMD} \
 	    -e 's|install: \(.*\) host-key check-config|install: \1|g' \
 	    ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} \
 	    -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \
 	    ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac
 	@${REINPLACE_CMD} \
 	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@ -1,5 +1,5 @@
-TIMESTAMP = 1605552780
+TIMESTAMP = 1695396338
-SHA256 (openssh-8.4p1.tar.gz) = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24
+SHA256 (openssh-9.3p2.tar.gz) = 200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
-SIZE (openssh-8.4p1.tar.gz) = 1742201
+SIZE (openssh-9.3p2.tar.gz) = 1835850
-SHA256 (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 15139c42894dd0ebd182608ecd7151a9eef6158aed30c676e7685e8407c6d1cb
+SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 9492c1db4307aa3fe6e12d77fff01376bf275af2980ae55b926a505aae9e9b14
-SIZE (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 126748
+SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131674
--- a/security/openssh-portable/files/extra-patch-blacklistd
+++ b/security/openssh-portable/files/extra-patch-blacklistd
@ -1,5 +1,5 @@
--- blacklist.c.orig	2020-11-16 16:45:24.799150000 -0800
+--- blacklist.c.orig	2021-04-28 13:37:52.679784000 -0700
-+++ blacklist.c	2020-11-16 16:45:20.000470000 -0800
+++ blacklist.c	2021-04-28 13:56:45.677805000 -0700
@@ -0,0 +1,92 @@
 +/*-
 + * Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -75,7 +75,7 @@
 +	default:
 +		imlevel = SYSLOG_LEVEL_DEBUG2;
 +	}
-+	do_log(imlevel, message, args);
+	do_log2(imlevel, message, args);
 +}
 +
 +void
@ -157,9 +157,9 @@
 +
 +
 +#endif /* BLACKLIST_CLIENT_H */
--- servconf.c.orig	2020-11-16 15:52:13.175438000 -0800
+--- servconf.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ servconf.c	2020-11-16 15:52:15.812142000 -0800
+++ servconf.c	2021-04-28 13:36:19.591999000 -0700
-@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions *options)
+@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
 	options->max_sessions = -1;
 	options->banner = NULL;
 	options->use_dns = -1;
@ -167,7 +167,7 @@
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
 	options->num_authkeys_files = 0;
-@@ -432,6 +433,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
 		options->max_sessions = DEFAULT_SESSIONS_MAX;
 	if (options->use_dns == -1)
 		options->use_dns = 0;
@ -176,15 +176,15 @@
 	if (options->client_alive_interval == -1)
 		options->client_alive_interval = 0;
 	if (options->client_alive_count_max == -1)
-@@ -528,6 +531,7 @@ typedef enum {
+@@ -506,6 +509,7 @@ typedef enum {
- 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
+ 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
 	sBanner, sUseDNS, sHostbasedAuthentication,
 +	sUseBlacklist,
- 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
- 	sHostKeyAlgorithms,
+ 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-@@ -658,6 +662,8 @@ static struct {
+@@ -642,6 +646,8 @@ static struct {
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
@ -193,7 +193,7 @@
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
-@@ -1708,6 +1714,10 @@ process_server_config_line_depth(ServerOptions *option
+@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
 		intptr = &options->use_dns;
 		goto parse_flag;
@ -204,7 +204,7 @@
 	case sLogFacility:
 		log_facility_ptr = &options->log_facility;
 		arg = strdelim(&cp);
-@@ -2841,6 +2851,7 @@ dump_config(ServerOptions *o)
+@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
@ -322,28 +322,28 @@
 			ssh_packet_clear_keys(ssh);
 			errno = oerrno;
 			logdie("Unable to negotiate with %s: %s. "
--- sshd.c.orig	2020-11-16 15:52:45.846609000 -0800
+--- sshd.c.orig	2021-08-19 21:03:49.000000000 -0700
-+++ sshd.c	2020-11-16 15:56:34.401305000 -0800
+++ sshd.c	2021-09-10 10:37:17.926747000 -0700
-@@ -131,6 +131,7 @@
+@@ -123,6 +123,7 @@
 #include "version.h"
 #include "ssherr.h"
 #include "sk-api.h"
 +#include "blacklist_client.h"
 #include "srclimit.h"
 #include "dh.h"
- #ifdef LIBWRAP
+@@ -366,6 +367,8 @@ grace_alarm_handler(int sig)
 #include <tcpd.h>
@@ -388,6 +389,8 @@ grace_alarm_handler(int sig)
 		kill(0, SIGTERM);
 	}
 +	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, the_active_state, "ssh");
 +
 	/* XXX pre-format ipaddr/port so we don't need to access active_state */
 	/* Log error and exit. */
- 	sigdie("Timeout before authentication for %s port %d",
+ 	if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
-@@ -2290,6 +2293,9 @@ main(int ac, char **av)
+ 		cleanup_exit(255); /* don't log in privsep child */
@@ -2225,6 +2228,9 @@ main(int ac, char **av)
 	if ((loginmsg = sshbuf_new()) == NULL)
- 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 	auth_debug_reset();
 +
 +	if (options.use_blacklist)
@ -351,15 +351,15 @@
 	if (use_privsep) {
 		if (privsep_preauth(ssh) == 1)
--- Makefile.in.orig	2020-11-16 16:27:13.408700000 -0800
+--- Makefile.in.orig	2022-10-03 07:51:42.000000000 -0700
-+++ Makefile.in	2020-11-16 16:28:28.083007000 -0800
+++ Makefile.in	2022-10-09 10:50:06.401377000 -0700
-@@ -180,6 +180,8 @@ FIXPATHSCMD	= $(SED) $(PATHSUBS)
+@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
 FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
 		     @UNSUPPORTED_ALGORITHMS@
 +LIBSSH_OBJS+=	blacklist.o
 +
- all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+ all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
 $(LIBSSH_OBJS): Makefile.in config.h
 --- sshd_config.orig	2020-11-16 16:57:14.276036000 -0800
--- a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
+++ b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
@ -0,0 +1,19 @@
 --- auth2-gss.c.orig	2022-03-03 10:56:35.668672000 -0800
 +++ auth2-gss.c	2022-03-03 11:03:16.048838000 -0800
@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct 
  * The 'gssapi_keyex' userauth mechanism.
  */
 static int
 -userauth_gsskeyex(struct ssh *ssh)
 +userauth_gsskeyex(struct ssh *ssh, const char *method)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	int r, authenticated = 0;
@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh 
 Authmethod method_gsskeyex = {
 	"gssapi-keyex",
 +	NULL,
 	userauth_gsskeyex,
 	&options.gss_authentication
 };
--- a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
+++ b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
@ -1,12 +0,0 @@
 Avoid free(const char*)
 --- sshconnect2.c.orig	2020-11-19 14:56:54.387846000 -0800
 +++ sshconnect2.c	2020-11-19 14:57:04.445045000 -0800
@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh)
 		/* Fall back to specified host if we are using proxy command
 		 * and can not use DNS on that socket */
 		if (strcmp(gss_host, "UNKNOWN") == 0) {
 -			gss_host = authctxt->host;
 +			gss_host = xstrdup(authctxt->host);
 		}
 	} else {
 		gss_host = xstrdup(authctxt->host);
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 (tasota@gmail.com) an NSF REU grant recipient for 2013. 
 +	 This work was financed, in part, by Cisco System, Inc., the National 
 +         Library of Medicine, and the National Science Foundation. 
--- work/openssh-7.7p1/channels.c.orig	2018-04-01 22:38:28.000000000 -0700
+--- channels.c.orig	2023-02-02 04:21:54.000000000 -0800
-+++ work/openssh-7.7p1/channels.c	2018-06-27 16:37:07.663857000 -0700
+++ channels.c	2023-02-03 10:45:34.136793000 -0800
-@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
+@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels *
 /* Setup helper */
 static void channel_handler_init(struct ssh_channels *sc);
@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /* -- channel core */
 void
-@@ -392,6 +398,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
+@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
 	c->local_window = window;
 	c->local_window_max = window;
 	c->local_maxpacket = maxpack;
@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c->remote_name = xstrdup(remote_name);
 	c->ctl_chan = -1;
 	c->delayed = 1;		/* prevent call to channel_post handler */
-@@ -1059,6 +1068,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
+@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int 
- 	FD_SET(c->sock, writeset);
+ 		fatal_fr(r, "channel %i", c->self);
 }
 +#ifdef HPN_ENABLED
@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
 static void
- channel_pre_open(struct ssh *ssh, Channel *c,
+ channel_pre_listener(struct ssh *ssh, Channel *c)
-     fd_set *readset, fd_set *writeset)
+ {
-@@ -2158,21 +2191,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
@ -203,27 +203,24 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		}
 +#endif
 		if (!c->have_remote_id)
- 			fatal(":%s: channel %d: no remote id",
+ 			fatal_f("channel %d: no remote id", c->self);
 			    __func__, c->self);
 		if ((r = sshpkt_start(ssh,
 		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
 -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
 +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
 		    (r = sshpkt_send(ssh)) != 0) {
- 			fatal("%s: channel %i: %s", __func__,
+ 			fatal_fr(r, "channel %i", c->self);
 			    c->self, ssh_err(r));
 		}
- 		debug2("channel %d: window %d sent adjust %d",
+ 		debug2("channel %d: window %d sent adjust %d", c->self,
- 		    c->self, c->local_window,
+-		    c->local_window, c->local_consumed);
 -		    c->local_consumed);
 -		c->local_window += c->local_consumed;
-+		    c->local_consumed + addition);
+		    c->local_window, c->local_consumed + addition);
 +		c->local_window += c->local_consumed + addition;
 		c->local_consumed = 0;
 	}
 	return 1;
-@@ -3354,6 +3398,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
+@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
 	return addr;
 }
@ -241,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 static int
 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
     struct Forward *fwd, int *allocated_listen_port,
-@@ -3494,6 +3549,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
+@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
 		}
 		/* Allocate a channel number for the socket. */
@ -251,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		 * window size.
 +		 */
 +		if (!hpn_disabled)
-+			c = channel_new(ssh, "port listener", type, sock, sock, -1,
+			c = channel_new(ssh, "port listener", type, sock, sock,
-+			    hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+			    -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 +			    0, "port listener", 1);
 +		else
 +#endif
- 		c = channel_new(ssh, "port listener", type, sock, sock, -1,
+ 		c = channel_new(ssh, "port-listener", type, sock, sock, -1,
 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 		    0, "port listener", 1);
-@@ -4631,6 +4697,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
+@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
@ -271,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +			    0, "X11 inet listener", 1);
 +		else
 +#endif
- 		nc = channel_new(ssh, "x11 listener",
+ 		nc = channel_new(ssh, "x11-listener",
 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
 --- work/openssh-7.7p1/channels.h.orig	2018-04-01 22:38:28.000000000 -0700
@ -312,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 			free(cipher_list);
 			return 0;
 		}
--- work/openssh-7.7p1/clientloop.c.orig	2018-04-01 22:38:28.000000000 -0700
+--- work/openssh/clientloop.c.orig	2022-02-23 03:31:11.000000000 -0800
-+++ work/openssh-7.7p1/clientloop.c	2018-06-27 16:40:24.560906000 -0700
+++ work/openssh/clientloop.c	2022-03-02 12:53:47.624273000 -0800
-@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
 	sock = x11_connect_display(ssh);
 	if (sock < 0)
 		return NULL;
@ -330,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "x11",
 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
+@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
- 			    __func__, ssh_err(r));
+ 	else
- 		return NULL;
+ 		debug2_fr(r, "ssh_agent_bind_hostkey");
- 	}
+ 
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
 +		c = channel_new(ssh, "authentication agent connection",
@ -345,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "authentication agent connection",
 	    SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
 	}
 	debug("Tunnel forwarding using interface %s", ifname);
@ -358,21 +355,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
--- work.clean/openssh-6.8p1/compat.c	2015-03-17 00:49:20.000000000 -0500
+--- work/openssh/compat.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ work/openssh-6.8p1/compat.c	2015-04-03 16:39:57.665699000 -0500
+++ work/openssh/compat.c	2021-04-28 14:37:33.129317000 -0700
-@@ -177,6 +177,14 @@
+@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- 			debug("match: %s pat %s compat 0x%08x",
+ 			debug_f("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, check[i].bugs);
- 			datafellows = check[i].bugs;	/* XXX for now */
+ 			ssh->compat = check[i].bugs;
 +#ifdef HPN_ENABLED
 +			/* Check to see if the remote side is OpenSSH and not HPN */
 +			if (strstr(version,"OpenSSH") != NULL &&
 +			    strstr(version,"hpn") == NULL) {
-+				datafellows |= SSH_BUG_LARGEWINDOW;
+				ssh->compat |= SSH_BUG_LARGEWINDOW;
 +				debug("Remote is NON-HPN aware");
 +			}
 +#endif
- 			return check[i].bugs;
+ 			return;
 		}
 	}
 --- work/openssh/compat.h.orig	2015-05-29 03:27:21.000000000 -0500
@ -387,8 +384,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 void     enable_compat13(void);
 void     enable_compat20(void);
--- configure.ac.orig	2020-03-22 11:06:53.034550000 -0700
+--- work/openssh/configure.ac.orig	2020-03-22 11:06:53.034550000 -0700
-+++ configure.ac	2020-03-22 11:07:10.017487000 -0700
+++ work/openssh/configure.ac	2020-03-22 11:07:10.017487000 -0700
@@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir],
     ]
 ) # maildir
@ -424,9 +421,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 echo ""
--- work.clean/openssh-7.2p1/kex.c.orig	2016-02-25 19:40:04.000000000 -0800
+--- work/openssh/kex.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ work.clean/openssh-7.2p1/kex.c	2016-02-29 08:02:25.565288000 -0800
+++ work/openssh/kex.c	2021-04-28 14:38:31.761909000 -0700
-@@ -907,6 +907,20 @@ kex_choose_conf(struct ssh *ssh)
+@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh)
 			peer[ncomp] = NULL;
 			goto out;
 		}
@ -447,22 +444,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		debug("kex: %s cipher: %s MAC: %s compression: %s",
 		    ctos ? "client->server" : "server->client",
 		    newkeys->enc.name,
-@@ -1108,7 +1122,7 @@ send_error(struct ssh *ssh, char *msg)
+@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg)
  */
 int
 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 -    const char *version_addendum)
 +    const char *version_addendum, int hpn_disabled)
 {
- 	int remote_major, remote_minor, mismatch;
+ 	int remote_major, remote_minor, mismatch, oerrno = 0;
 	size_t len, i, n;
-@@ -1125,8 +1139,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
+@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
 	sshbuf_reset(our_version);
 	if (version_addendum != NULL && *version_addendum == '\0')
 		version_addendum = NULL;
 -	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
 +	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n",
- 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ 	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +#ifdef HPN_ENABLED
 +	    hpn_disabled ? "" : SSH_HPN,
 +#else
@ -470,7 +467,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 	    version_addendum == NULL ? "" : " ",
 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
- 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
+ 		oerrno = errno;
 --- work/openssh-7.7p1/packet.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/packet.c	2018-06-27 16:42:42.739507000 -0700
@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
@ -527,9 +524,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 #if !defined(WITH_OPENSSL)
 # undef BIGNUM
 # undef EC_KEY
--- work/openssh-7.7p1/readconf.c.orig	2018-04-01 22:38:28.000000000 -0700
+--- work/openssh/readconf.c.orig	2021-09-08 09:56:20.567664000 -0700
-+++ work/openssh-7.7p1/readconf.c	2018-06-27 16:58:41.109275000 -0700
+++ work/openssh/readconf.c	2021-09-08 09:57:31.560617000 -0700
-@@ -66,6 +66,9 @@
+@@ -67,6 +67,9 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
@ -539,23 +536,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /* Format of the configuration file:
-@@ -167,6 +170,12 @@ typedef enum {
+@@ -168,6 +171,12 @@ typedef enum {
 	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
 	oVisualHostKey,
- 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ 	oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull,
 +#ifdef HPN_ENABLED
 +	oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
 +#endif
 +#ifdef NONE_CIPHER_ENABLED
 +	oNoneSwitch, oNoneEnabled, 
 +#endif
 	oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass,
 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
- 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
+@@ -316,6 +325,16 @@ static struct {
-@@ -304,6 +313,16 @@ static struct {
+ 	{ "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */
- 	{ "updatehostkeys", oUpdateHostkeys },
+ 	{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
- 	{ "hostbasedkeytypes", oHostbasedKeyTypes },
+ 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
 +#ifdef NONE_CIPHER_ENABLED
 +	{ "noneenabled", oNoneEnabled },
 +	{ "noneswitch", oNoneSwitch },
@ -568,8 +565,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 	{ "ignoreunknown", oIgnoreUnknown },
 	{ "proxyjump", oProxyJump },
- 
+ 	{ "securitykeyprovider", oSecurityKeyProvider },
-@@ -962,6 +981,44 @@ parse_time:
+@@ -1125,6 +1144,44 @@ parse_time:
 		intptr = &options->check_host_ip;
 		goto parse_flag;
@ -614,7 +611,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	case oVerifyHostKeyDNS:
 		intptr = &options->verify_host_key_dns;
 		multistate_ptr = multistate_yesnoask;
-@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
+@@ -2386,6 +2443,16 @@ initialize_options(Options * options)
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->request_tty = -1;
@ -628,10 +625,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	options->tcp_rcv_buf_poll = -1;
 +	options->tcp_rcv_buf = -1;
 +#endif
- 	options->proxy_use_fdpass = -1;
+ 	options->session_type = -1;
- 	options->ignored_unknown = NULL;
+ 	options->stdin_null = -1;
- 	options->num_canonical_domains = 0;
+ 	options->fork_after_authentication = -1;
-@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
+@@ -2557,6 +2624,34 @@ fill_default_options(Options * options)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
 		options->server_alive_count_max = 3;
@ -908,23 +905,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 .It Fl r
 Recursively copy entire directories when uploading and downloading.
 Note that
--- work.clean/openssh-6.8p1/sftp.c	2015-03-17 00:49:20.000000000 -0500
+--- work/openssh/ssh.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ work/openssh-6.8p1/sftp.c	2015-04-03 17:16:00.959795000 -0500
+++ work/openssh/ssh.c	2021-04-28 14:51:04.682167000 -0700
-@@ -71,7 +71,11 @@
+@@ -1027,6 +1027,14 @@ main(int ac, char **av)
 #include "sftp-client.h"
 #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
 +#ifdef HPN_ENABLED
 +#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
 +#else
 #define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
 +#endif
 /* File to read commands from */
 FILE* infile;
 --- work/openssh-7.7p1/ssh.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/ssh.c	2018-06-27 17:05:30.011979000 -0700
@@ -954,6 +954,14 @@ main(int ac, char **av)
 			break;
 		case 'T':
 			options.request_tty = REQUEST_TTY_NO;
@ -939,12 +922,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 			break;
 		case 'o':
 			line = xstrdup(optarg);
-@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
+@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
- 	    NULL, fileno(stdin), &command, environ);
+ 	    NULL, fileno(stdin), command, environ);
 }
 +static void
-+hpn_options_init(void)
+hpn_options_init(struct ssh *ssh)
 +{
 +	/*
 +	 * We need to check to see if what they want to do about buffer
@ -969,7 +952,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	else
 +		options.hpn_buffer_size = 2 * 1024 * 1024;
 +
-+	if (datafellows & SSH_BUG_LARGEWINDOW) {
+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
 +		debug("HPN to Non-HPN Connection");
 +	} else {
 +		int sock, socksize;
@ -1018,7 +1001,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /* open new channel for a session */
 static int
 ssh_session2_open(struct ssh *ssh)
-@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
+@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh)
 	if (!isatty(err))
 		set_nonblock(err);
@ -1036,7 +1019,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		window >>= 1;
 		packetmax >>= 1;
 	}
-@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
+@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh)
 	    window, packetmax, CHAN_EXTENDED_WRITE,
 	    "client-session", /*nonblock*/0);
@ -1046,12 +1029,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		debug ("Enabled Dynamic Window Scaling");
 +	}
 +#endif
- 	debug3("%s: channel_new: %d", __func__, c->self);
+ 	debug3_f("channel_new: %d", c->self);
 	channel_send_open(ssh, c->self);
-@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in
 {
- 	int devnull, id = -1;
+ 	int r, id = -1;
 	char *cp, *tun_fwd_ifname = NULL;
 +
 +#ifdef HPN_ENABLED
@ -1060,7 +1043,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 * might open channels that use the hpn buffer sizes.  We can't send a
 +	 * window of -1 (the default) to the server as it breaks things.
 +	 */
-+	hpn_options_init();
+	hpn_options_init(ssh);
 +#endif
 	/* XXX should be pre-session */
@ -1136,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		sshpkt_fatal(ssh, r, "banner exchange");
 	/* Put the connection into non-blocking mode. */
--- sshconnect2.c.orig	2020-02-13 16:40:54.000000000 -0800
+--- work/openssh/sshconnect2.c.orig	2023-03-15 14:28:19.000000000 -0700
-+++ sshconnect2.c	2020-03-22 11:10:01.017282000 -0700
+++ work/openssh/sshconnect2.c	2023-05-19 14:20:01.965073000 -0700
-@@ -83,7 +83,13 @@
+@@ -83,7 +83,13 @@ extern Options options;
 extern char *client_version_string;
 extern char *server_version_string;
 extern Options options;
@ -1152,28 +1135,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /*
  * SSH2 key exchange
  */
-@@ -156,10 +162,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
+@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
 	return ret;
 }
 +static char *myproposal[PROPOSAL_MAX];
 +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
 void
 ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
 {
 -	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
 	char *s, *all_key;
 	int r, use_known_hosts_order = 0;
@@ -183,6 +190,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
 		fatal("%s: kex_assemble_namelist", __func__);
 	free(all_key);
 +	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
 		fatal("%s: kex_names_cat", __func__);
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
@@ -435,6 +443,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
 	if (!authctxt.success)
 		fatal("Authentication failed.");
@ -1185,11 +1147,16 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 * tty allocated.
 +	 */
 +	if ((options.none_switch == 1) && (options.none_enabled == 1)) {
 +		char *myproposal[PROPOSAL_MAX];
 +		char *s = NULL;
 +		const char *none_cipher = "none";
 +
 +		if (!tty_flag) { /* no null on tty sessions */
 +			debug("Requesting none rekeying...");
-+			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+			kex_proposal_populate_entries(ssh, myproposal, s, none_cipher,
-+			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+			    options.macs,
-+			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
+			    compression_alg_list(options.compression),
 +			    options.hostkeyalgorithms);
 +			kex_prop2buf(ssh->kex->my, myproposal);
 +			packet_request_rekeying();
 +			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
@ -1200,13 +1167,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		}
 +	}
 +#endif
-+
+ 	if (ssh_packet_connection_is_on_socket(ssh)) {
- 	debug("Authentication succeeded (%s).", authctxt.method->name);
+ 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
- }
+ 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
- 
+--- work/openssh/sshd.c.orig	2021-09-08 10:00:01.411822000 -0700
--- work/openssh/sshd.c.orig	2020-11-10 21:36:31.340159000 -0800
+++ work/openssh/sshd.c	2021-09-08 10:03:02.820813000 -0700
-+++ work/openssh/sshd.c	2020-11-10 21:37:10.097038000 -0800
+@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la)
@@ -1065,6 +1065,10 @@ listen_on_addrs(struct listenaddr *la)
 	int ret, listen_sock;
 	struct addrinfo *ai;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@ -1217,7 +1183,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	for (ai = la->addrs; ai; ai = ai->ai_next) {
 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1110,6 +1114,13 @@ listen_on_addrs(struct listenaddr *la)
+@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la)
 		debug("Bind to port %s on %s.", strport, ntop);
@ -1231,7 +1197,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		/* Bind the socket to the desired port. */
 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
 			error("Bind to port %s on %s failed: %.200s.",
-@@ -1753,6 +1764,15 @@ main(int ac, char **av)
+@@ -1760,6 +1771,15 @@ main(int ac, char **av)
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
@ -1244,10 +1210,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	}
 +#endif
 +
- 	/* challenge-response is implemented via keyboard interactive */
+ 	/* Check that options are sensible */
- 	if (options.challenge_response_authentication)
+ 	if (options.authorized_keys_command_user == NULL &&
- 		options.kbd_interactive_authentication = 1;
+ 	    (options.authorized_keys_command != NULL &&
-@@ -2220,6 +2240,11 @@ main(int ac, char **av)
+@@ -2216,6 +2236,11 @@ main(int ac, char **av)
 	    rdomain == NULL ? "" : "\"");
 	free(laddr);
@ -1259,7 +1225,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	/*
 	 * We don't want to listen forever unless the other side
 	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2233,7 +2258,7 @@ main(int ac, char **av)
+@@ -2229,7 +2254,7 @@ main(int ac, char **av)
 		alarm(options.login_grace_time);
 	if ((r = kex_exchange_identification(ssh, -1,
@ -1268,7 +1234,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		sshpkt_fatal(ssh, r, "banner exchange");
 	ssh_packet_set_nonblocking(ssh);
-@@ -2397,6 +2422,11 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh)
 	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
 	struct kex *kex;
 	int r;
@ -1278,7 +1244,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +                debug ("WARNING: None cipher enabled");
 +#endif
- 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
 	    options.kex_algorithms);
 --- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
 +++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500
@ -1303,11 +1269,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
--- work/openssh-7.7p1/version.h.orig	2018-04-01 22:38:28.000000000 -0700
+--- version.h.orig	2023-07-18 23:31:34.000000000 -0700
-+++ work/openssh-7.7p1/version.h	2018-06-27 17:13:57.263086000 -0700
+++ version.h	2023-07-21 07:27:08.311422000 -0700
@@ -4,3 +4,4 @@
- #define SSH_PORTABLE	"p1"
+ #define SSH_PORTABLE	"p2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 +#define SSH_HPN         "-hpn14v15"
 --- work/openssh/kex.h.orig	2019-07-10 17:35:36.523216000 -0700
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
 ------------------------------------------------------------------------
--- readconf.c.orig	2020-03-21 16:51:23.450425000 -0700
+--- readconf.c.orig	2023-02-03 11:17:45.506822000 -0800
-+++ readconf.c	2020-03-21 17:00:01.827757000 -0700
+++ readconf.c	2023-02-03 11:30:14.894959000 -0800
-@@ -310,6 +310,12 @@ static struct {
+@@ -323,6 +323,12 @@ static struct {
- 	{ "ignoreunknown", oIgnoreUnknown },
+ 	{ "knownhostscommand", oKnownHostsCommand },
- 	{ "proxyjump", oProxyJump },
+ 	{ "requiredrsasize", oRequiredRSASize },
- 	{ "securitykeyprovider", oSecurityKeyProvider },
+ 	{ "enableescapecommandline", oEnableEscapeCommandline },
 +	{ "hpndisabled", oDeprecated },
 +	{ "hpnbuffersize", oDeprecated },
 +	{ "tcprcvbufpoll", oDeprecated },
@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
 	{ NULL, oBadOption }
 };
--- servconf.c.orig	2020-02-13 16:40:54.000000000 -0800
+--- servconf.c.orig	2023-02-02 04:21:54.000000000 -0800
-+++ servconf.c	2020-03-21 17:01:18.011062000 -0700
+++ servconf.c	2023-02-03 11:31:00.387624000 -0800
@@ -695,6 +695,10 @@ static struct {
- 	{ "rdomain", sRDomain, SSHCFG_ALL },
+ 	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
- 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
+ 	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
- 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+ 	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
 +	{ "noneenabled", sUnsupported, SSHCFG_ALL },
 +	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
 +	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
--- a/security/openssh-portable/files/extra-patch-libfido2-configure.ac
+++ b/security/openssh-portable/files/extra-patch-libfido2-configure.ac
@ -1,16 +0,0 @@
 Workaround libfido2 package having a libfido2.pc that requires libcrypto
 even with base OpenSSL which does not provide the proper pc file.
 --- configure.ac.orig	2020-11-19 14:21:03.890890000 -0800
 +++ configure.ac	2020-11-19 14:21:57.061193000 -0800
@@ -3256,8 +3256,8 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_interna
 		fi
 	fi
 	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
 -		LIBFIDO2=`$PKGCONFIG --libs libfido2`
 -		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
 +		LIBFIDO2="-lfido2 -lcrypto"
 +		#CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
 	else
 		LIBFIDO2="-lfido2 -lcbor"
 	fi
--- a/security/openssh-portable/files/extra-patch-pam-sshd_config
+++ b/security/openssh-portable/files/extra-patch-pam-sshd_config
@ -0,0 +1,31 @@
 --- sshd_config.nopam	2022-02-11 19:19:59.515475000 +0000
 +++ sshd_config	2022-02-11 19:20:45.334738000 +0000
@@ -55,8 +55,8 @@
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 -# To disable tunneled clear text passwords, change to no here!
 -#PasswordAuthentication yes
 +# To enable tunneled clear text passwords, change to yes here!
 +#PasswordAuthentication no
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
@@ -72,7 +72,7 @@
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 -# Set this to 'yes' to enable PAM authentication, account processing,
 +# Set this to 'no' to disable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
@@ -81,7 +81,7 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
 -#UsePAM no
 +#UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@ -83,11 +83,9 @@ index 0ade557..045f149 100644
 	/* Log the connection. */
 	laddr = get_local_ipaddr(sock_in);
-diff --git configure.ac configure.ac
+--- configure.ac.orig	2022-02-23 03:31:11.000000000 -0800
-index f48ba4a..66fbe82 100644
+++ configure.ac	2022-03-02 12:47:49.958341000 -0800
--- configure.ac.orig	2019-04-17 15:52:57.000000000 -0700
+@@ -1599,6 +1599,62 @@ else
 +++ configure.ac	2019-07-02 20:58:48.627832000 -0700
@@ -1494,6 +1494,62 @@ else
 	AC_MSG_RESULT([no])
 fi
@ -150,11 +148,11 @@ index f48ba4a..66fbe82 100644
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
-@@ -5245,6 +5301,7 @@ echo "                       PAM support: $PAM_MSG"
+@@ -5593,6 +5649,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
--- a/security/openssh-portable/files/openssh.in
+++ b/security/openssh-portable/files/openssh.in
@ -1,7 +1,5 @@
 #!/bin/sh
 # $FreeBSD$
 #
 # PROVIDE: openssh
 # REQUIRE: DAEMON
 # KEYWORD: shutdown
@ -24,6 +22,16 @@ load_rc_config ${name}
 : ${openssh_enable:="NO"}
 : ${openssh_skipportscheck="NO"}
 # These only control ssh-keygen automatically generating host keys.
 : ${openssh_dsa_enable="YES"}
 : ${openssh_dsa_flags=""}
 : ${openssh_rsa_enable="YES"}
 : ${openssh_rsa_flags=""}
 : ${openssh_ecdsa_enable="YES"}
 : ${openssh_ecdsa_flags=""}
 : ${openssh_ed25519_enable="YES"}
 : ${openssh_ed25519_flags=""}
 command=%%PREFIX%%/sbin/sshd
 extra_commands="configtest reload keygen"
 start_precmd="${name}_checks"
@ -35,10 +43,16 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
 openssh_keygen()
 {
-	if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
+	local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
-	    -f %%ETCDIR%%/ssh_host_rsa_key -a \
+	checkyesno openssh_dsa_enable || skip_dsa=y
-	    -f %%ETCDIR%%/ssh_host_ecdsa_key -a \
+	checkyesno openssh_rsa_enable || skip_rsa=y
-	    -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
+	checkyesno openssh_ecdsa_enable || skip_ecdsa=y
 	checkyesno openssh_ed25519_enable || skip_ed25519=y
 	if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
 	    \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
 	    \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
 	    \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
 		return 0
 	fi
@ -52,8 +66,8 @@ openssh_keygen()
 		echo "You already have a DSA host key" \
 			"in %%ETCDIR%%/ssh_host_dsa_key"
 		echo "Skipping protocol version 2 DSA Key Generation"
-	else
+	elif checkyesno openssh_dsa_enable; then
-		%%PREFIX%%/bin/ssh-keygen -t dsa \
+		%%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \
 			-f %%ETCDIR%%/ssh_host_dsa_key -N ''
 	fi
@ -61,8 +75,8 @@ openssh_keygen()
 		echo "You already have a RSA host key" \
 			"in %%ETCDIR%%/ssh_host_rsa_key"
 		echo "Skipping protocol version 2 RSA Key Generation"
-	else
+	elif checkyesno openssh_rsa_enable; then
-		%%PREFIX%%/bin/ssh-keygen -t rsa \
+		%%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \
 			-f %%ETCDIR%%/ssh_host_rsa_key -N ''
 	fi
@ -70,8 +84,8 @@ openssh_keygen()
 		echo "You already have a Elliptic Curve DSA host key" \
 			"in %%ETCDIR%%/ssh_host_ecdsa_key"
 		echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
-	else
+	elif checkyesno openssh_ecdsa_enable; then
-		%%PREFIX%%/bin/ssh-keygen -t ecdsa \
+		%%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \
 			-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
 	fi
@ -79,8 +93,8 @@ openssh_keygen()
 		echo "You already have a Elliptic Curve ED25519 host key" \
 			"in %%ETCDIR%%/ssh_host_ed25519_key"
 		echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
-	else
+	elif checkyesno openssh_ed25519_enable; then
-		%%PREFIX%%/bin/ssh-keygen -t ed25519 \
+		%%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \
 			-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
 	fi
 }
@ -158,7 +172,7 @@ openssh_checks()
      fi
 	fi
-	run_rc_command keygen
+	openssh_keygen
 	openssh_configtest
 }
--- a/security/openssh-portable/files/patch-FreeBSD-cap_cache_tzdata
+++ b/security/openssh-portable/files/patch-FreeBSD-cap_cache_tzdata
@ -0,0 +1,49 @@
 diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
 new file mode 100644
 index 000000000000..bf3889265b77
 --- /dev/null
 +++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
@@ -0,0 +1,43 @@
 +commit fc3c19a9fceeea48a9259ac3833a125804342c0e
 +Author: Ed Maste <emaste@FreeBSD.org>
 +Date:   Sat Oct 6 21:32:55 2018 +0000
 +
 +    sshd: address capsicum issues
 +    
 +    * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
 +      capability mode.
 +    * Cache timezone data via caph_cache_tzdata() as we cannot access the
 +      timezone file.
 +    * Reverse resolve hostname before entering capability mode.
 +    
 +    PR:             231172
 +    Submitted by:   naito.yuichiro@gmail.com
 +    Reviewed by:    cem, des
 +    Approved by:    re (rgrimes)
 +    MFC after:      3 weeks
 +    Differential Revision:  https://reviews.freebsd.org/D17128
 +
 +Notes:
 +    svn path=/head/; revision=339216
 +
 +diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
 +index 5f41d526292b..f728abd18250 100644
 +--- sandbox-capsicum.c
 ++++ sandbox-capsicum.c
 +@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
 + #include <stdlib.h>
 + #include <string.h>
 + #include <unistd.h>
 ++#include <capsicum_helpers.h>
 + 
 + #include "log.h"
 + #include "monitor.h"
 +@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 + 	struct rlimit rl_zero;
 + 	cap_rights_t rights;
 + 
 ++	caph_cache_tzdata();
 ++
 + 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
 + 
 + 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
--- a/security/openssh-portable/files/patch-FreeBSD-logincap
+++ b/security/openssh-portable/files/patch-FreeBSD-logincap
@ -0,0 +1,69 @@
 (pulled from the PR)
 commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8
 Author: Ed Maste <emaste@FreeBSD.org>
 Date:   Tue Aug 31 15:30:50 2021 -0400
    openssh: simplify login class restrictions
    Login class-based restrictions were introduced in 5b400a39b8ad.  The
    code was adapted for sshd's Capsicum sandbox and received many changes
    over time, including at least fc3c19a9fcee, bd393de91cc3, and
    e8c56fba2926.
    During an attempt to upstream the work a much simpler approach was
    suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
    future updates.
    Submitted by:   Yuchiro Naito (against OpenSSH-portable on GitHub)
    Obtained from:  https://github.com/openssh/openssh-portable/pull/262
    Reviewed by:    allanjude, kevans
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D31760
 --- auth.c
 +++ auth.c
@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
 {
 #ifdef HAVE_LOGIN_CAP
 	extern login_cap_t *lc;
 +#ifdef HAVE_AUTH_HOSTOK
 +	const char *from_host, *from_ip;
 +#endif
 #ifdef BSD_AUTH
 	auth_session_t *as;
 #endif
@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
 		debug("unable to get login class: %s", user);
 		return (NULL);
 	}
 +#ifdef HAVE_AUTH_HOSTOK
 +	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
 +	from_ip = ssh_remote_ipaddr(ssh);
 +	if (!auth_hostok(lc, from_host, from_ip)) {
 +		debug("Denied connection for %.200s from %.200s [%.200s].",
 +		      pw->pw_name, from_host, from_ip);
 +		return (NULL);
 +	}
 +#endif /* HAVE_AUTH_HOSTOK */
 +#ifdef HAVE_AUTH_TIMEOK
 +	if (!auth_timeok(lc, time(NULL))) {
 +		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
 +		return (NULL);
 +	}
 +#endif /* HAVE_AUTH_TIMEOK */
 #ifdef BSD_AUTH
 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
 --- configure.ac
 +++ configure.ac
@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG])
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS([ \
 +	auth_hostok \
 +	auth_timeok \
 	Blowfish_initstate \
 	Blowfish_expandstate \
 	Blowfish_expand0state \
--- a/security/openssh-portable/files/patch-auth.c
+++ b/security/openssh-portable/files/patch-auth.c
@ -1,21 +0,0 @@
 --- UTC
 r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines
 Changed paths:
   M /head/crypto/openssh/auth.c
 Use login_getpwclass() instead of login_getclass() so that the root
 vs. default login class distinction is made correctly.
 PR:             37416
 --- auth.c.orig	2010-08-12 11:33:01.000000000 -0600
 +++ auth.c	2010-09-14 16:14:12.000000000 -0600
@@ -594,7 +594,7 @@
 	if (!allowed_user(pw))
 		return (NULL);
 #ifdef HAVE_LOGIN_CAP
 -	if ((lc = login_getclass(pw->pw_class)) == NULL) {
 +	if ((lc = login_getpwclass(pw)) == NULL) {
 		debug("unable to get login class: %s", user);
 		return (NULL);
 	}
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@ -1,47 +0,0 @@
 --- UTC
 r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
 Changed paths:
   M /head/crypto/openssh/auth2.c
 Apply class-imposed login restrictions.
 --- auth2.c.orig	2020-09-27 00:25:01.000000000 -0700
 +++ auth2.c	2020-11-16 13:55:25.222771000 -0800
@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
 	int r, authenticated = 0;
 	double tstart = monotime_double();
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
 +	const char *from_host, *from_ip;
 +#endif
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
 		    "not allowed: (%s,%s) -> (%s,%s)",
 		    authctxt->user, authctxt->service, user, service);
 	}
 +
 +#ifdef HAVE_LOGIN_CAP
 +	if (authctxt->pw != NULL &&
 +	    (lc = login_getpwclass(authctxt->pw)) != NULL) {
 +		from_host = auth_get_canonical_hostname(ssh, options.use_dns);
 +		from_ip = ssh_remote_ipaddr(ssh);
 +		if (!auth_hostok(lc, from_host, from_ip)) {
 +			logit("Denied connection for %.200s from %.200s [%.200s].",
 +			    authctxt->pw->pw_name, from_host, from_ip);
 +			ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
 +		}
 +		if (!auth_timeok(lc, time(NULL))) {
 +			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
 +			    authctxt->pw->pw_name, from_host);
 +			ssh_packet_disconnect(ssh, "Logins not available right now.");
 +		}
 +		login_close(lc);
 +	}
 +#endif  /* HAVE_LOGIN_CAP */
 +
 	/* reset state */
 	auth2_challenge_stop(ssh);
--- a/security/openssh-portable/files/patch-readconf.c
+++ b/security/openssh-portable/files/patch-readconf.c
@ -1,22 +0,0 @@
 --- UTC
 base defaults
 r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
 Changed paths:
   M /head/crypto/openssh/myproposal.h
   M /head/crypto/openssh/readconf.c
   M /head/crypto/openssh/servconf.c
 Apply FreeBSD's configuration defaults.
 --- readconf.c.orig	2014-07-17 23:11:26.000000000 -0500
 +++ readconf.c	2014-11-03 16:45:05.188796445 -0600
@@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
 	if (options->batch_mode == -1)
 		options->batch_mode = 0;
 	if (options->check_host_ip == -1)
 -		options->check_host_ip = 1;
 +		options->check_host_ip = 0;
 	if (options->strict_host_key_checking == -1)
 		options->strict_host_key_checking = 2;	/* 2 is default */
 	if (options->compression == -1)
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@ -13,18 +13,18 @@ to the child process.
 Reviewed by:    ache
 Sponsored by:   DARPA, NAI Labs
--- session.c.orig	2020-09-27 00:25:01.000000000 -0700
+--- session.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ session.c	2020-11-19 14:41:50.745308000 -0800
+++ session.c	2021-04-27 13:11:13.515917000 -0700
-@@ -946,7 +946,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
+@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
 }
 #endif /* HAVE_ETC_DEFAULT_LOGIN */
 -#if defined(USE_PAM) || defined(HAVE_CYGWIN)
 +#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP)
 static void
- copy_environment_blacklist(char **source, char ***env, u_int *envsize,
+ copy_environment_denylist(char **source, char ***env, u_int *envsize,
-     const char *blacklist)
+     const char *denylist)
-@@ -1056,7 +1056,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
 # endif /* HAVE_CYGWIN */
 #endif /* HAVE_LOGIN_CAP */
@ -34,7 +34,7 @@ Sponsored by:   DARPA, NAI Labs
 		snprintf(buf, sizeof buf, "%.200s/%.50s",
 		    _PATH_MAILDIR, pw->pw_name);
 		child_set_env(&env, &envsize, "MAIL", buf);
-@@ -1067,6 +1068,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
 	if (getenv("TZ"))
 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
@ -48,7 +48,7 @@ Sponsored by:   DARPA, NAI Labs
 +		environ = xmalloc(sizeof(char *));
 +		*environ = NULL;
 +		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);
-+		copy_environment_blacklist(environ, &env, &envsize, NULL);
+		copy_environment_denylist(environ, &env, &envsize, NULL);
 +		for (var = environ; *var != NULL; ++var)
 +			free(*var);
 +		free(environ);
@ -58,7 +58,7 @@ Sponsored by:   DARPA, NAI Labs
 	if (s->term)
 		child_set_env(&env, &envsize, "TERM", s->term);
 	if (s->display)
-@@ -1285,7 +1303,7 @@ do_nologin(struct passwd *pw)
+@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw)
 #ifdef HAVE_LOGIN_CAP
 	if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
 		return;
@ -67,7 +67,7 @@ Sponsored by:   DARPA, NAI Labs
 #else
 	if (pw->pw_uid == 0)
 		return;
-@@ -1373,7 +1391,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw)
 	if (platform_privileged_uidswap()) {
 #ifdef HAVE_LOGIN_CAP
 		if (setusercontext(lc, pw, pw->pw_uid,
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
--- ssh-agent.c.orig	2020-09-27 00:25:01.000000000 -0700
+--- ssh-agent.c.orig	2023-02-02 04:21:54.000000000 -0800
-+++ ssh-agent.c	2020-11-09 09:07:10.924940000 -0800
+++ ssh-agent.c	2023-02-03 10:55:34.277561000 -0800
-@@ -171,15 +171,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+@@ -188,11 +188,28 @@ static int restrict_websafe = 1;
 /* Refuse signing of non-SSH messages for web-origin FIDO keys */
 static int restrict_websafe = 1;
@ -27,28 +27,31 @@ disconnected.
 static void
 close_socket(SocketEntry *e)
 {
 	size_t i;
 +	int last = 0;
-+
+ 
 +	if (e->type == AUTH_CONNECTION) {
 +		debug("xcount %d -> %d", xcount, xcount - 1);
 +		if (--xcount == 0)
 +			last = 1;
 +	}
 +
 	close(e->fd);
 	e->fd = -1;
 	e->type = AUTH_UNUSED;
 	sshbuf_free(e->input);
 	sshbuf_free(e->output);
- 	sshbuf_free(e->request);
+@@ -205,6 +222,8 @@ close_socket(SocketEntry *e)
 	memset(e, '\0', sizeof(*e));
 	e->fd = -1;
 	e->type = AUTH_UNUSED;
 +	if (last)
 +		cleanup_exit(0);
 }
 static void
-@@ -961,6 +980,10 @@ new_socket(sock_type type, int fd)
+@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd)
 {
 	u_int i, old_alloc, new_alloc;
 	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
 	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
 +	if (type == AUTH_CONNECTION) {
 +		debug("xcount %d -> %d", xcount, xcount + 1);
 +		++xcount;
@ -56,16 +59,16 @@ disconnected.
 	set_nonblock(fd);
 	if (fd > max_fd)
-@@ -1261,7 +1284,7 @@ static void
+@@ -1990,7 +2013,7 @@ usage(void)
 usage(void)
 {
 	fprintf(stderr,
 -	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
 +	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
- 	    "                 [-P allowed_providers] [-t life]\n"
+ 	    "                 [-O option] [-P allowed_providers] [-t life]\n"
- 	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
+ 	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
- 	    "                 [-t life] command [arg ...]\n"
+ 	    "                 [-P allowed_providers] [-t life] command [arg ...]\n"
-@@ -1295,6 +1318,7 @@ main(int ac, char **av)
+@@ -2024,6 +2047,7 @@ main(int ac, char **av)
 	/* drop */
 	setegid(getgid());
 	setgid(getgid());
@ -73,7 +76,7 @@ disconnected.
 	platform_disable_tracing(0);	/* strict=no */
-@@ -1306,7 +1330,7 @@ main(int ac, char **av)
+@@ -2035,7 +2059,7 @@ main(int ac, char **av)
 	__progname = ssh_get_progname(av[0]);
 	seed_rng();
@ -82,7 +85,7 @@ disconnected.
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1355,6 +1379,9 @@ main(int ac, char **av)
+@@ -2084,6 +2108,9 @@ main(int ac, char **av)
 				fprintf(stderr, "Invalid lifetime\n");
 				usage();
 			}
--- a/security/openssh-portable/files/patch-ssh_config.5
+++ b/security/openssh-portable/files/patch-ssh_config.5
@ -1,21 +1,7 @@
 --- UTC
 r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
 Document the FreeBSD default for CheckHostIP, which was changed in
 rev 1.2 of readconf.c.
 --- ssh_config.5.orig	2020-11-16 11:53:55.871161000 -0800
 +++ ssh_config.5	2020-11-16 12:43:41.763006000 -0800
@@ -420,8 +420,7 @@ or
 .Cm no .
 .It Cm CheckHostIP
 If set to
 -.Cm yes
 -(the default),
 +.Cm yes ,
 .Xr ssh 1
 will additionally check the host IP address in the
 .Pa known_hosts
@@ -434,6 +433,8 @@ in the process, regardless of the setting of
 If the option is set to
 .Cm no ,
--- a/security/openssh-portable/files/patch-sshd.8
+++ b/security/openssh-portable/files/patch-sshd.8
@ -24,13 +24,3 @@ Document FreeBSD/port-specific paths
 (unless root).
 .It
 Changes to run with normal user privileges.
@@ -407,7 +408,8 @@
 exists, runs it; else if
 .Pa /etc/ssh/sshrc
 exists, runs
 -it; otherwise runs xauth.
 +it; otherwise runs
 +.Xr xauth 1 .
 The
 .Dq rc
 files are given the X11
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@ -33,8 +33,8 @@ of short-living parent. Only mark the master process that accepts
 connections, do not protect connection handlers spawned from inetd.
--- sshd.c.orig	2010-04-15 23:56:22.000000000 -0600
+--- sshd.c.orig	2021-04-27 11:49:55.540744000 -0700
-+++ sshd.c	2010-09-14 16:14:13.000000000 -0600
+++ sshd.c	2021-04-27 11:50:20.239225000 -0700
@@ -46,6 +46,7 @@
 #include <sys/types.h>
@ -43,7 +43,7 @@ connections, do not protect connection handlers spawned from inetd.
 #include <sys/socket.h>
 #ifdef HAVE_SYS_STAT_H
 # include <sys/stat.h>
-@@ -83,6 +84,13 @@
+@@ -85,6 +86,13 @@
 #include <prot.h>
 #endif
@ -56,24 +56,13 @@ connections, do not protect connection handlers spawned from inetd.
 +
 #include "xmalloc.h"
 #include "ssh.h"
- #include "ssh1.h"
+ #include "ssh2.h"
-@@ -1877,6 +1885,10 @@
+@@ -2007,7 +2015,30 @@ main(int ac, char **av)
- 	/* Reinitialize the log (because of the fork above). */
+ 	for (i = 0; i < options.num_log_verbose; i++)
- 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
+ 		log_verbose_add(options.log_verbose[i]);
 + 	/* Avoid killing the process in high-pressure swapping environments. */
 + 	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
 + 		debug("madvise(): %.200s", strerror(errno));
 +
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	if (chdir("/") == -1)
@@ -1995,6 +2007,29 @@
 	signal(SIGCHLD, SIG_DFL);
 	signal(SIGINT, SIG_DFL);
 +#ifdef __FreeBSD__
-+	/*
+ 	/*
 +	 * Initialize the resolver.  This may not happen automatically
 +	 * before privsep chroot().
 +	 */
@ -95,6 +84,18 @@ connections, do not protect connection handlers spawned from inetd.
 +#endif
 +#endif
 +
 +	/*
 	 * If not in debugging mode, not started from inetd and not already
 	 * daemonized (eg re-exec via SIGHUP), disconnect from the controlling
 	 * terminal, and fork.  The original process exits.
@@ -2022,6 +2053,10 @@ main(int ac, char **av)
 	}
 	/* Reinitialize the log (because of the fork above). */
 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
 +
 + 	/* Avoid killing the process in high-pressure swapping environments. */
 + 	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
 + 		debug("madvise(): %.200s", strerror(errno));
 	/*
- 	 * Register our connection.  This turns encryption off because we do
+ 	 * Chdir to the root directory so that the current disk can be
 	 * not have a key.
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@ -1,5 +1,8 @@
--- sshd_config.orig	2013-02-11 18:02:09.000000000 UTC
+!!!
-+++ sshd_config	2013-05-13 06:46:45.153627197 -0500
+!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option.
 !!!
 --- sshd_config.orig	2022-02-11 18:49:55.062881000 +0000
 +++ sshd_config	2022-02-11 18:52:31.639435000 +0000
@@ -10,6 +10,9 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
@ -10,7 +13,7 @@
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
-@@ -50,8 +53,7 @@
+@@ -37,8 +40,7 @@
 #PubkeyAuthentication yes
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@ -20,37 +23,7 @@
 #AuthorizedPrincipalsFile none
-@@ -68,11 +70,11 @@
+@@ -84,7 +86,7 @@
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 -# To disable tunneled clear text passwords, change to no here!
 -#PasswordAuthentication yes
 +# Change to yes to enable built-in password authentication.
 +#PasswordAuthentication no
 #PermitEmptyPasswords no
 -# Change to no to disable s/key passwords
 +# Change to no to disable PAM authentication
 #ChallengeResponseAuthentication yes
 # Kerberos options
@@ -85,7 +87,7 @@
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 -# Set this to 'yes' to enable PAM authentication, account processing,
 +# Set this to 'no' to disable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
@@ -94,12 +96,12 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 -#UsePAM no
 +#UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@ -1,19 +1,8 @@
--- sshd_config.5.orig	2017-03-19 19:39:27.000000000 -0700
+--- sshd_config.5.orig	2022-02-11 18:50:00.822679000 +0000
-+++ sshd_config.5	2017-03-20 11:48:37.553620000 -0700
+++ sshd_config.5	2022-02-11 19:09:05.162504000 +0000
-@@ -373,7 +373,9 @@ By default, no banner is displayed.
+@@ -701,7 +701,9 @@
- .It Cm ChallengeResponseAuthentication
+ .Qq ssh -Q HostbasedAcceptedAlgorithms .
- Specifies whether challenge-response authentication is allowed (e.g. via
+ This was formerly named HostbasedAcceptedKeyTypes.
 PAM or through authentication styles supported in
 -.Xr login.conf 5 )
 +.Xr login.conf 5 ) .
 +See also
 +.Cm UsePAM .
 The default is
 .Cm yes .
 .It Cm ChrootDirectory
@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
 The list of available key types may also be obtained using
 .Qq ssh -Q key .
 .It Cm HostbasedAuthentication
 -Specifies whether rhosts or /etc/hosts.equiv authentication together
 +Specifies whether rhosts or
@ -22,7 +11,7 @@
 with successful public key client host authentication is allowed
 (host-based authentication).
 The default is
-@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
+@@ -1277,7 +1279,23 @@
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
@ -31,6 +20,7 @@
 +.Nm sshd
 +was built without PAM support, in which case the default is
 .Cm yes .
 +.Pp
 +Note that if
 +.Cm ChallengeResponseAuthentication
 +is
@ -45,7 +35,7 @@
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
-@@ -1232,6 +1251,13 @@ and
+@@ -1416,6 +1434,13 @@
 .Cm ethernet .
 The default is
 .Cm no .
@ -59,12 +49,15 @@
 .Pp
 Independent of this setting, the permissions of the selected
 .Xr tun 4
-@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
+@@ -1774,12 +1799,19 @@
 .Xr sshd 8
 as a non-root user.
 The default is
-.Cm no .
+.Cm yes ,
-+.Cm yes .
+unless
 +.Nm sshd
 +was built without PAM support, in which case the default is
 .Cm no .
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
@ -77,7 +70,7 @@
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's
-@@ -1512,7 +1541,7 @@ The argument must be
+@@ -1793,7 +1825,7 @@
 or
 .Cm no .
 The default is
--- a/security/openssh-portable/pkg-descr
+++ b/security/openssh-portable/pkg-descr
@ -11,5 +11,3 @@ The portable OpenSSH follows development of the official version, but releases
 are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
 The official OpenBSD source will never use the 'p' suffix, but will instead
 increment the version number when they hit 'stable spots' in their development.
 WWW: https://www.openssh.com/portable.html
--- a/security/patch-9.8-cves
+++ b/security/patch-9.8-cves
@ -0,0 +1,56 @@
 https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
 Damien Miller djm at mindrot.org
 Mon Jul 1 18:21:11 AEST 2024
 Previous message (by thread): Announce: OpenSSH 9.8 released
 Next message (by thread): Announce: OpenSSH 9.8 released
 Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
 Hi,
 Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
 prevent exploitation of this bug is to disable the login grace timer
 by setting LoginGraceTime=0 in sshd_config. This will however make
 it much easier for an attacker to deny service to sshd.
 Similarly, the much more minor keystroke timing bug can be avoided
 by disabling the feature using ObscureKeystrokeTiming=0.
 Some users will understandably prefer to patch their OpenSSH rather
 than upgrade to the newest version, so here are minimal patches for
 both problems.
 1) Critical race condition in sshd
 2) Minor logic error in ObscureKeystrokeTiming
 --- log.c.orig	2024-07-02 09:05:35.023051000 -0700
 +++ log.c	2024-07-02 09:05:54.881067000 -0700
@@ -451,12 +451,14 @@ sshsigdie(const char *file, const char *func, int line
 sshsigdie(const char *file, const char *func, int line, int showfunc,
     LogLevel level, const char *suffix, const char *fmt, ...)
 {
 +#ifdef SYSLOG_R_SAFE_IN_SIGHAND
 	va_list args;
 	va_start(args, fmt);
 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
 	    suffix, fmt, args);
 	va_end(args);
 +#endif
 	_exit(1);
 }
 --- clientloop.c.orig	2024-07-02 09:06:09.736347000 -0700
 +++ clientloop.c	2024-07-02 09:06:41.414979000 -0700
@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct tim
 		if (timespeccmp(&now, &chaff_until, >=)) {
 			/* Stop if there have been no keystrokes for a while */
 			stop_reason = "chaff time expired";
 -		} else if (timespeccmp(&now, &next_interval, >=)) {
 -			/* Otherwise if we were due to send, then send chaff */
 +		} else if (timespeccmp(&now, &next_interval, >=) &&
 +		    !ssh_packet_have_data_to_write(ssh)) {
 +			/* If due to send but have no data, then send chaff */
 			if (send_chaff(ssh))
 				nchaff++;
 		}
Author	SHA1	Message	Date
Xavier Beaudouin	713b5d7dbb	9.3	2024-10-08 15:12:26 +02:00
Xavier Beaudouin	752fa07dd9	Oups	2024-10-08 15:11:57 +02:00
Xavier Beaudouin	5a010bc915	Update	2024-10-08 15:07:11 +02:00
Xavier Beaudouin	bfe724e9fe	Type patch	2024-10-08 15:05:03 +02:00
Xavier Beaudouin	4791a89071	Fix	2024-10-08 14:46:14 +02:00
Xavier Beaudouin	e076a989d8	Try SA-23:02	2024-10-08 14:40:51 +02:00
Xavier Beaudouin	3cfb2ab8d6	Fix	2024-10-08 12:06:09 +02:00
Xavier Beaudouin	ea9f08f64b	Patch 2	2024-10-08 12:03:31 +02:00
Xavier Beaudouin	d0416b71a4	Added patch	2024-10-08 10:53:25 +02:00
Xavier Beaudouin	1b2c8330ff	Going back to openssh 8.8	2024-10-08 09:54:55 +02:00
Xavier Beaudouin	09e08245c5	Bump version id	2024-10-07 17:50:55 +02:00
Xavier Beaudouin	a61e3278a0	Fix CVE	2024-10-07 17:46:18 +02:00
Xavier Beaudouin	f3766011fd	Try without this one	2024-10-07 17:33:59 +02:00
Xavier Beaudouin	7fc412d3b3	Backport SA + CVE	2024-10-07 17:31:24 +02:00
Xavier Beaudouin	ce9923924e	9.6 fails -> 9.3	2024-10-07 16:27:41 +02:00
Xavier Beaudouin	c469356292	9.6	2024-10-07 16:19:51 +02:00
Xavier Beaudouin	317bd8d30d	openssh 9-2	2024-10-07 16:14:21 +02:00
Xavier Beaudouin	457a80ca77	Update openssh 9.0	2024-10-07 16:09:16 +02:00
Xavier Beaudouin	f035f378a6	openssh 8.8	2024-10-07 15:15:06 +02:00
Xavier Beaudouin	23173ef4f8	Removed	2024-10-07 15:14:26 +02:00
Xavier Beaudouin	8284183dc6	Removed for tests	2024-10-07 11:29:52 +02:00