- Update to 4.4p1.

- Disable temporary HPN patch until HPN release new version. - Fix rc.d script path in sshd.8 - Add FreeBSD-${PKGNAME} in SSH_VERSION and SSH_RELEASE like src does. - Sync patches with src. Security: CVE-2006-4924, CVE-2006-5051
svn path=/head/; revision=174213
2025-07-18 17:59:20 -04:00 · 2006-10-01 02:15:00 +00:00 · 2006-10-01 02:15:00 +00:00 · 5ef0f821ec · 2021-03-31 03:12:20 +00:00
commit 5ef0f821ec
parent 38829c3602
21 changed files with 477 additions and 458 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -6,8 +6,7 @@
 #

 PORTNAME=	openssh
-DISTVERSION=	4.3p2
-PORTREVISION=	1
+DISTVERSION=	4.4p1
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \
@ -42,8 +41,8 @@ USE_OPENSSL=		yes
 USE_PERL5_BUILD=	yes
 GNU_CONFIGURE=		yes
 CONFIGURE_TARGET=	--build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
-CONFIGURE_ARGS=		--prefix=${PREFIX} --with-md5-passwords \
-			--without-zlib-version-check
+CONFIGURE_ARGS=		--prefix=${PREFIX} --mandir=${MANPREFIX}/man \
+			--with-md5-passwords --without-zlib-version-check
 PRECIOUS=		ssh_config sshd_config ssh_host_key ssh_host_key.pub \
 			ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_dsa_key \
 			ssh_host_dsa_key.pub
@ -134,6 +133,7 @@ EXTRA_PATCHES+=		${FILESDIR}/scardpin.patch
 .endif

 .if defined(WITH_HPN)
+IGNORE=			option HPN is temporary disabled, waiting patch for new openssh release
 PATCH_DIST_STRIP=	-p1
 PATCH_SITES+=		http://www.psc.edu/networking/projects/hpn-ssh/
 PATCHFILES+=		openssh-4.3p2-hpn12.diff.gz
@ -142,7 +142,7 @@ PATCHFILES+=		openssh-4.3p2-hpn12.diff.gz
 .if defined(WITH_OVERWRITE_BASE)
 WITH_OPENSSL_BASE=	yes
 BASE_SUFFIX=		-overwrite-base
-CONFIGURE_ARGS+=	--mandir=${PREFIX}/share/man --localstatedir=/var
+CONFIGURE_ARGS+=	--localstatedir=/var
 EMPTYDIR=		/var/empty
 PREFIX=			/usr
 ETCSSH=			/etc/ssh
@ -168,6 +168,13 @@ PLIST_SUB+=		BASE="@comment "
 PLIST_SUB+=		EMPTYDIR="${EMPTYDIR}"
 CONFIGURE_ARGS+=	--sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}

+# Sync this with bsd.port.mk
+.if (${OSVERSION} >= 700007 || ( ${OSVERSION} < 700000 && ${OSVERSION} >= 600101 ))
+RC_SCRIPT_NAME=		openssh
+.else
+RC_SCRIPT_NAME=		openssh.sh
+.endif
+
 post-extract:
 .if defined(OPENSSH_SNAPSHOT)
 	@# rc.d script have same name of openssh snapshot dir
@ -176,6 +183,21 @@ post-extract:

 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
+.if defined(WITH_OVERWRITE_BASE)
+	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
+		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
+.else
+	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|' \
+		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
+.endif
+	@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
+		-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
+	@${ECHO_CMD} '#define FREEBSD_PORT_VERSION	" FreeBSD-${PKGNAME}"' >> \
+		${WRKSRC}/version.h
+	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
+		${WRKSRC}/version.h
+	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
+		${WRKSRC}/version.h

 pre-install:
 .if defined(WITH_OVERWRITE_BASE)
@ -204,13 +226,8 @@ post-install:
 .if defined(WITH_OVERWRITE_BASE)
 	@${ECHO_CMD} "===> Installing rc.d startup script(s)"
 	@${ECHO_CMD} "@cwd ${LOCALBASE}" >> ${TMPPLIST}
-.if ${OSVERSION} >= 700007
-	@${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh
-	@${ECHO_CMD} "etc/rc.d/openssh" >> ${TMPPLIST}
-.else
-	@${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh.sh
-	@${ECHO_CMD} "etc/rc.d/openssh.sh" >> ${TMPPLIST}
-.endif
+	@${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/${RC_SCRIPT_NAME}
+	@${ECHO_CMD} "etc/rc.d/${RC_SCRIPT_NAME}" >> ${TMPPLIST}
 	@${ECHO_CMD} "@cwd ${PREFIX}" >> ${TMPPLIST}
 .endif
 	@${CAT} ${PKGMESSAGE}
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@ -1,6 +1,3 @@
-MD5 (openssh-4.3p2.tar.gz) = 7e9880ac20a9b9db0d3fea30a9ff3d46
-SHA256 (openssh-4.3p2.tar.gz) = 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f
-SIZE (openssh-4.3p2.tar.gz) = 941455
-MD5 (openssh-4.3p2-hpn12.diff.gz) = f2fef0ecd2315d940dbb5b9188546400
-SHA256 (openssh-4.3p2-hpn12.diff.gz) = 704ff6ac9737850ac04b77bbb613099c0d557be4a0b28925946a90a76d7d7ac0
-SIZE (openssh-4.3p2-hpn12.diff.gz) = 14891
+MD5 (openssh-4.4p1.tar.gz) = 793a709a8de695c22f523024d7e9bf07
+SHA256 (openssh-4.4p1.tar.gz) = 0252474af4009129cde6a2df2893fb1ac24316436758796f6adc043ac73b35ac
+SIZE (openssh-4.4p1.tar.gz) = 1044334
--- a/security/openssh-portable/files/patch-auth.c
+++ b/security/openssh-portable/files/patch-auth.c
@ -1,24 +1,6 @@
--- auth.c.orig	Thu Aug 12 14:40:25 2004
-+++ auth.c	Mon Sep 20 05:04:48 2004
-@@ -208,6 +208,17 @@
- 		return 0;
- #endif
- 
-+#ifdef __FreeBSD__
-+	/* Fail if the account's expiration time has passed. */
-+	if (pw->pw_expire != 0) {
-+		struct timeval tv;
-+
-+		(void)gettimeofday(&tv, NULL);
-+		if (tv.tv_sec >= pw->pw_expire)
-+			return 0;
-+	}
-+#endif /* __FreeBSD__ */
-+
- 	/* We found no reason not to let this user try to log on... */
- 	return 1;
- }
-@@ -472,7 +483,7 @@
+--- auth.c.orig	Wed Sep  6 21:36:43 2006
+++ auth.c	Sat Sep 30 10:38:04 2006
+@@ -500,7 +501,7 @@
 	if (!allowed_user(pw))
 		return (NULL);
 #ifdef HAVE_LOGIN_CAP
--- a/security/openssh-portable/files/patch-auth1.c
+++ b/security/openssh-portable/files/patch-auth1.c
@ -1,30 +1,28 @@
--- auth1.c.orig	Sun Jul 17 04:26:44 2005
-+++ auth1.c	Thu Sep  1 11:23:35 2005
-@@ -26,6 +26,7 @@
- #include "uidswap.h"
+--- auth1.c.orig	Fri Sep  1 02:38:36 2006
+++ auth1.c	Sat Sep 30 18:47:57 2006
+@@ -39,6 +39,7 @@
+ #endif
 #include "monitor_wrap.h"
 #include "buffer.h"
 +#include "canohost.h"
 
 /* import */
 extern ServerOptions options;
-@@ -220,6 +221,15 @@
+@@ -238,6 +239,13 @@
 	char info[1024];
 	int prev = 0, type = 0;
 	const struct AuthMethod1 *meth;
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
-+#endif /* HAVE_LOGIN_CAP */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
 +	const char *from_host, *from_ip;
 +
 +	from_host = get_canonical_hostname(options.use_dns);
 +	from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#endif
 
 	debug("Attempting authentication for %s%.100s.",
 	    authctxt->valid ? "" : "invalid user ", authctxt->user);
-@@ -270,6 +280,33 @@
+@@ -288,6 +296,26 @@
 			    "type %d", type);
 			goto skip;
 		}
@ -48,13 +46,6 @@
 +			lc = NULL;
 +		}
 +#endif  /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS                                                       
-+		if (authctxt->pw != NULL && !login_access(authctxt->pw->pw_name, from_host)) {
-+			logit("Denied connection for %.200s from %.200s [%.200s].",
-+			       authctxt->pw->pw_name, from_host, from_ip);
-+			packet_disconnect("Sorry, you are not allowed to connect.");
-+		}
-+#endif /* LOGIN_ACCESS */
 
 		if (!*(meth->enabled)) {
 			verbose("%s authentication disabled.", meth->name);
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@ -1,67 +1,51 @@
--- auth2.c.orig	Tue Feb  8 11:52:48 2005
-+++ auth2.c	Sat Mar 19 20:50:32 2005
-@@ -36,6 +36,7 @@
+--- auth2.c.orig	Fri Aug  4 23:39:39 2006
+++ auth2.c	Sat Sep 30 10:38:04 2006
+@@ -44,6 +45,7 @@
+ #include "dispatch.h"
 #include "pathnames.h"
- #include "monitor_wrap.h"
 #include "buffer.h"
 +#include "canohost.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
-@@ -136,6 +137,15 @@
+@@ -147,6 +149,13 @@
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
 	int authenticated = 0;
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
-+#endif /* HAVE_LOGIN_CAP */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
 +	const char *from_host, *from_ip;
 +
 +	from_host = get_canonical_hostname(options.use_dns);
 +	from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#endif
 
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
-@@ -183,6 +193,41 @@
+@@ -190,6 +199,27 @@
 		    "(%s,%s) -> (%s,%s)",
 		    authctxt->user, authctxt->service, user, service);
 	}
 +
 +#ifdef HAVE_LOGIN_CAP
-+	if (authctxt->pw != NULL) {
-+		lc = login_getpwclass(authctxt->pw);
-+		if (lc == NULL)
-+			lc = login_getclassbyname(NULL, authctxt->pw);
-+		if (!auth_hostok(lc, from_host, from_ip)) {
-+			logit("Denied connection for %.200s from %.200s [%.200s].",
-+			    authctxt->pw->pw_name, from_host, from_ip);
-+			packet_disconnect("Sorry, you are not allowed to connect.");
-+		}
-+		if (!auth_timeok(lc, time(NULL))) {
-+			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+			    authctxt->pw->pw_name, from_host);
-+			packet_disconnect("Logins not available right now.");
-+		}
-+		login_close(lc);
-+		lc = NULL;
-+	}
+        if (authctxt->pw != NULL) {
+                lc = login_getpwclass(authctxt->pw);
+                if (lc == NULL)
+                        lc = login_getclassbyname(NULL, authctxt->pw);
+                if (!auth_hostok(lc, from_host, from_ip)) {
+                        logit("Denied connection for %.200s from %.200s [%.200s].",
+                            authctxt->pw->pw_name, from_host, from_ip);
+                        packet_disconnect("Sorry, you are not allowed to connect.");
+                }
+                if (!auth_timeok(lc, time(NULL))) {
+                        logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+                            authctxt->pw->pw_name, from_host);
+                        packet_disconnect("Logins not available right now.");
+                }
+                login_close(lc);
+                lc = NULL;
+        }
 +#endif  /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS
-+	if (authctxt->pw != NULL &&
-+	    !login_access(authctxt->pw->pw_name, from_host)) {
-+		logit("Denied connection for %.200s from %.200s [%.200s].",
-+		    authctxt->pw->pw_name, from_host, from_ip);
-+		packet_disconnect("Sorry, you are not allowed to connect.");
-+	}
-+#endif /* LOGIN_ACCESS */
-+#ifdef BSD_AUTH
-+	if (authctxt->as) {
-+		auth_close(authctxt->as);
-+		authctxt->as = NULL;
-+	}
-+#endif
 +
 	/* reset state */
 	auth2_challenge_stop(authctxt);
--- a/security/openssh-portable/files/patch-clientloop.c
+++ b/security/openssh-portable/files/patch-clientloop.c
@ -1,11 +0,0 @@
--- clientloop.c.orig	Fri Aug 13 13:18:01 2004
-+++ clientloop.c	Mon Sep 20 05:04:48 2004
-@@ -1581,7 +1581,7 @@
- 
- 	if (strcmp(ctype, "forwarded-tcpip") == 0) {
- 		c = client_request_forwarded_tcpip(ctype, rchan);
-	} else if (strcmp(ctype, "x11") == 0) {
-+	} else if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
- 		c = client_request_x11(ctype, rchan);
- 	} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
- 		c = client_request_agent(ctype, rchan);
--- a/security/openssh-portable/files/patch-loginrec.c
+++ b/security/openssh-portable/files/patch-loginrec.c
@ -14,7 +14,7 @@
 	strncpy(ut->ut_name, li->username,
 	    MIN_SIZEOF(ut->ut_name, li->username));
 # ifdef HAVE_HOST_IN_UTMP
-+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000
+# if defined(__FreeBSD__) && __FreeBSD_version < 400000
 	strncpy(ut->ut_host, li->hostname,
 	    MIN_SIZEOF(ut->ut_host, li->hostname));
 +# else
--- a/security/openssh-portable/files/patch-readconf.c
+++ b/security/openssh-portable/files/patch-readconf.c
@ -0,0 +1,11 @@
+--- readconf.c.orig	Fri Sep  1 02:38:37 2006
+++ readconf.c	Sat Sep 30 10:38:05 2006
+@@ -1112,7 +1122,7 @@
+ 	if (options->batch_mode == -1)
+ 		options->batch_mode = 0;
+ 	if (options->check_host_ip == -1)
+-		options->check_host_ip = 1;
+		options->check_host_ip = 0;
+ 	if (options->strict_host_key_checking == -1)
+ 		options->strict_host_key_checking = 2;	/* 2 is default */
+ 	if (options->compression == -1)
--- a/security/openssh-portable/files/patch-regress-test-exec.sh
+++ b/security/openssh-portable/files/patch-regress-test-exec.sh
@ -1,11 +0,0 @@
--- regress/test-exec.sh.orig	Fri Jun 25 05:46:09 2004
-+++ regress/test-exec.sh	Tue Aug 17 05:27:49 2004
-@@ -178,6 +178,8 @@
- 	AcceptEnv		_XXX_TEST_*
- 	AcceptEnv		_XXX_TEST
- 	Subsystem	sftp	$SFTPSERVER
-+	PermitRootLogin		yes
-+	UsePrivilegeSeparation	no
- EOF
- 
- if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@ -0,0 +1,41 @@
+--- servconf.c.orig	Fri Aug 18 11:23:15 2006
+++ servconf.c	Sat Sep 30 21:54:26 2006
+@@ -129,7 +129,7 @@
+ {
+ 	/* Portable-specific options */
+ 	if (options->use_pam == -1)
+-		options->use_pam = 0;
+		options->use_pam = 1;
+ 
+ 	/* Standard Options */
+ 	if (options->protocol == SSH_PROTO_UNKNOWN)
+@@ -159,7 +159,7 @@
+ 	if (options->key_regeneration_time == -1)
+ 		options->key_regeneration_time = 3600;
+ 	if (options->permit_root_login == PERMIT_NOT_SET)
+-		options->permit_root_login = PERMIT_YES;
+		options->permit_root_login = PERMIT_NO;
+ 	if (options->ignore_rhosts == -1)
+ 		options->ignore_rhosts = 1;
+ 	if (options->ignore_user_known_hosts == -1)
+@@ -169,7 +169,7 @@
+ 	if (options->print_lastlog == -1)
+ 		options->print_lastlog = 1;
+ 	if (options->x11_forwarding == -1)
+-		options->x11_forwarding = 0;
+		options->x11_forwarding = 1;
+ 	if (options->x11_display_offset == -1)
+ 		options->x11_display_offset = 10;
+ 	if (options->x11_use_localhost == -1)
+@@ -207,7 +207,11 @@
+ 	if (options->gss_cleanup_creds == -1)
+ 		options->gss_cleanup_creds = 1;
+ 	if (options->password_authentication == -1)
+#ifdef USE_PAM
+		options->password_authentication = 0;
+#else
+ 		options->password_authentication = 1;
+#endif
+ 	if (options->kbd_interactive_authentication == -1)
+ 		options->kbd_interactive_authentication = 0;
+ 	if (options->challenge_response_authentication == -1)
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@ -1,344 +1,164 @@
--- session.c.orig	Sun Mar  6 12:38:52 2005
-+++ session.c	Sat Mar 19 21:45:32 2005
-@@ -66,6 +66,11 @@
- #include "ssh-gss.h"
+--- session.c.orig	Fri Sep  1 02:38:37 2006
+++ session.c	Sat Sep 30 19:32:06 2006
+@@ -776,6 +776,24 @@
+ {
+ 	FILE *f;
+ 	char buf[256];
+#ifdef HAVE_LOGIN_CAP
+	const char *fname;
+#endif
+
+#ifdef HAVE_LOGIN_CAP
+	fname = login_getcapstr(lc, "copyright", NULL, NULL);
+	if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
+		while (fgets(buf, sizeof(buf), f) != NULL)
+			fputs(buf, stdout);
+			fclose(f);
+	} else
+#endif /* HAVE_LOGIN_CAP */
+		(void)printf("%s\n\t%s %s\n",
+	"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+	"The Regents of the University of California. ",
+	"All rights reserved.");
+
+	(void)printf("\n");
+ 
+ 	if (options.print_motd) {
+ #ifdef HAVE_LOGIN_CAP
+@@ -1004,6 +1022,9 @@
+ 	struct passwd *pw = s->pw;
+ #ifndef HAVE_LOGIN_CAP
+ 	char *path = NULL;
+#else
+	extern char **environ;
+	char **senv, **var;
 #endif
 
-+#ifdef __FreeBSD__
-+#include <syslog.h>
-+#define _PATH_CHPASS "/usr/bin/passwd"
-+#endif /* __FreeBSD__ */
-+
- /* func */
- 
- Session *session_new(void);
-@@ -414,6 +419,13 @@
- 		log_init(__progname, options.log_level, options.log_facility, log_stderr);
- 
- 		/*
-+		 * Using login and executing a specific "command" are mutually
-+		 * exclusive, so turn off use_login if there's a command.
-+		 */
-+		if (command != NULL)
-+			options.use_login = 0;
-+
-+		/*
- 		 * Create a new session and process group since the 4.4BSD
- 		 * setlogin() affects the entire process group.
- 		 */
-@@ -550,6 +562,14 @@
- 
- 		/* Child.  Reinitialize the log because the pid has changed. */
- 		log_init(__progname, options.log_level, options.log_facility, log_stderr);
-+
-+		/*
-+		 * Using login and executing a specific "command" are mutually
-+		 * exclusive, so turn off use_login if there's a command.
-+		 */
-+		if (command != NULL)
-+			options.use_login = 0;
-+
- 		/* Close the master side of the pseudo tty. */
- 		close(ptyfd);
- 
-@@ -700,6 +720,18 @@
- 	struct sockaddr_storage from;
- 	struct passwd * pw = s->pw;
- 	pid_t pid = getpid();
-+#ifdef HAVE_LOGIN_CAP
-+	FILE *f;
-+	char buf[256];
-+	const char *fname;
-+	const char *shorttty;
-+#endif /* HAVE_LOGIN_CAP */
-+#ifdef __FreeBSD__
-+#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
-+	char *newcommand = NULL;
-+	struct timeval tv;
-+	time_t warntime = DEFAULT_WARN;
-+#endif /* __FreeBSD__ */
- 
- 	/*
- 	 * Get IP address of client. If the connection is not a socket, let
-@@ -735,12 +767,101 @@
+ 	/* Initialize the environment. */
+@@ -1025,6 +1046,9 @@
 	}
 #endif
 
-+#ifdef __FreeBSD__
-+	if (pw->pw_change || pw->pw_expire)
-+		(void)gettimeofday(&tv, NULL);
-+#ifdef HAVE_LOGIN_CAP
-+	warntime = login_getcaptime(lc, "warnpassword",
-+				    DEFAULT_WARN, DEFAULT_WARN);
-+#endif /* HAVE_LOGIN_CAP */
-+	/*
-+	 * If the password change time is set and has passed, give the
-+	 * user a password expiry notice and chance to change it.
-+	 */
-+	if (pw->pw_change != 0) {
-+		if (tv.tv_sec >= pw->pw_change) {
-+			(void)printf(
-+			    "Sorry -- your password has expired.\n");
-+			logit("%s Password expired - forcing change",
-+			    pw->pw_name);
-+			if (newcommand != NULL)
-+				xfree(newcommand);
-+			newcommand = xstrdup(_PATH_CHPASS);
-+		} else if (pw->pw_change - tv.tv_sec < warntime &&
-+			   !check_quietlogin(s, command))
-+			(void)printf(
-+			    "Warning: your password expires on %s",
-+			     ctime(&pw->pw_change));
-+	}
-+
-+#ifndef USE_PAM
-+	if (pw->pw_expire) {
-+		if (tv.tv_sec >= pw->pw_expire) {
-+			(void)printf(
-+			    "Sorry -- your account has expired.\n");
-+			logit(
-+	   "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
-+				pw->pw_name, get_remote_name_or_ip(utmp_len,
-+				options.use_dns), s->tty);
-+			exit(254);
-+		} else if (pw->pw_expire - tv.tv_sec < warntime &&
-+			   !check_quietlogin(s, command))
-+			(void)printf(
-+			    "Warning: your account expires on %s",
-+			     ctime(&pw->pw_expire));
-+	}
-+#endif /* !USE_PAM */
-+#endif /* __FreeBSD__ */
-+
-+#ifdef HAVE_LOGIN_CAP
-+	/* check if we have a pathname in the ttyname */
-+	shorttty = rindex( s->tty, '/' );
-+	if (shorttty != NULL ) {
-+		/* use only the short filename to check */
-+		shorttty ++;
-+	} else {
-+		/* nothing found, use the whole name found */
-+		shorttty = s->tty;
-+	}
-+	if (!auth_ttyok(lc, shorttty)) {
-+		(void)printf("Permission denied.\n");
-+		logit(
-+	       "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
-+		    pw->pw_name, get_remote_name_or_ip(utmp_len,
-+			options.use_dns), s->tty);
-+		exit(254);
-+	}
-+#endif /* HAVE_LOGIN_CAP */
-+
- 	if (check_quietlogin(s, command))
- 		return;
- 
- 	display_loginmsg();
- 
-	do_motd();
-+#ifdef HAVE_LOGIN_CAP
-+	if (command == NULL &&
-+	    !options.use_login) {
-+		fname = login_getcapstr(lc, "copyright", NULL, NULL);
-+		if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
-+			while (fgets(buf, sizeof(buf), f) != NULL)
-+				fputs(buf, stdout);
-+			fclose(f);
-+		} else
-+			(void)printf("%s\n\t%s %s\n",
-+	"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
-+	    "The Regents of the University of California. ",
-+	    "All rights reserved.");
-+	}
-+#endif /* HAVE_LOGIN_CAP */
-+
-+	/*
-+	 * Print /etc/motd unless a command was specified or printing
-+	 * it was disabled in server options or login(1) will be
-+	 * used.  Note that some machines appear to print it in
-+	 * /etc/profile or similar.
-+	 */
-+	if (command == NULL && !options.use_login)
-+		do_motd();
- }
- 
- /*
-@@ -756,9 +877,9 @@
- #ifdef HAVE_LOGIN_CAP
- 		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
- 		    "/etc/motd"), "r");
-#else
-+#else /* !HAVE_LOGIN_CAP */
- 		f = fopen("/etc/motd", "r");
-#endif
-+#endif /* HAVE_LOGIN_CAP */
- 		if (f) {
- 			while (fgets(buf, sizeof(buf), f))
- 				fputs(buf, stdout);
-@@ -785,10 +906,10 @@
- #ifdef HAVE_LOGIN_CAP
- 	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
- 		return 1;
-#else
-+#else /* HAVE_LOGIN_CAP */
- 	if (stat(buf, &st) >= 0)
- 		return 1;
-#endif
-+#endif /* HAVE_LOGIN_CAP */
- 	return 0;
- }
- 
-@@ -974,7 +1095,14 @@
- {
- 	char buf[256];
- 	u_int i, envsize;
-	char **env, *laddr, *path = NULL;
-+	char **env, *laddr;
-+#ifdef HAVE_CYGWIN
-+	char *path = NULL;
-+#endif /* HAVE_CYGWIN */
-+#ifdef HAVE_LOGIN_CAP
-+	extern char **environ;
-+	char **senv, **var;
-+#endif /* HAVE_LOGIN_CAP */
- 	struct passwd *pw = s->pw;
- 
- 	/* Initialize the environment. */
-@@ -982,6 +1110,9 @@
- 	env = xmalloc(envsize * sizeof(char *));
- 	env[0] = NULL;
- 
-+	/* Moved up to resove confict with gsssapi patches */
 +	if (getenv("TZ"))
 +		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- #ifdef HAVE_CYGWIN
- 	/*
- 	 * The Windows environment contains some setting which are
-@@ -1046,9 +1177,21 @@
- 
- 		/* Normal systems set SHELL by default. */
- 		child_set_env(&env, &envsize, "SHELL", shell);
-+#ifdef HAVE_LOGIN_CAP
+
+ #ifdef GSSAPI
+ 	/* Allow any GSSAPI methods that we've used to alter
+ 	 * the childs environment as they see fit
+@@ -1044,11 +1068,22 @@
+ 		child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
+ #endif
+ 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+		snprintf(buf, sizeof buf, "%.200s/%.50s",
+			 _PATH_MAILDIR, pw->pw_name);
+		child_set_env(&env, &envsize, "MAIL", buf);
+ #ifdef HAVE_LOGIN_CAP
+-		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+-			child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+-		else
+-			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+		child_set_env(&env, &envsize, "TERM", "su");
 +		senv = environ;
 +		environ = xmalloc(sizeof(char *));
 +		*environ = NULL;
-+		if (setusercontext(lc, pw, pw->pw_uid,
-+			LOGIN_SETENV|LOGIN_SETPATH) < 0) {
-+			perror("unable to set user context enviroment");
-+		}
+		(void) setusercontext(lc, pw, pw->pw_uid,
+		    LOGIN_SETENV|LOGIN_SETPATH);
 +		copy_environment(environ, &env, &envsize);
 +		for (var = environ; *var != NULL; ++var)
 +			xfree(*var);
 +		xfree(environ);
 +		environ = senv;
-+#endif /* HAVE_LOGIN_CAP */
+ #else /* HAVE_LOGIN_CAP */
+ # ifndef HAVE_CYGWIN
+ 		/*
+@@ -1069,15 +1104,9 @@
+ # endif /* HAVE_CYGWIN */
+ #endif /* HAVE_LOGIN_CAP */
+ 
+-		snprintf(buf, sizeof buf, "%.200s/%.50s",
+-			 _PATH_MAILDIR, pw->pw_name);
+-		child_set_env(&env, &envsize, "MAIL", buf);
+-
+ 		/* Normal systems set SHELL by default. */
+ 		child_set_env(&env, &envsize, "SHELL", shell);
 	}
 -	if (getenv("TZ"))
 -		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
 
 	/* Set custom environment options from RSA authentication. */
 	if (!options.use_login) {
-@@ -1258,6 +1401,12 @@
+@@ -1287,6 +1316,10 @@
 void
 do_setusercontext(struct passwd *pw)
 {
-+
 +#ifdef CHROOT
 +	char *user_dir;
 +	char *new_root;
 +#endif /* CHROOT */
-+
 #ifndef HAVE_CYGWIN
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
-@@ -1285,10 +1434,30 @@
+@@ -1314,10 +1347,31 @@
 		}
 # endif /* USE_PAM */
 		if (setusercontext(lc, pw, pw->pw_uid,
 -		    (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
-+		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
+		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) {
 			perror("unable to set user context");
 			exit(1);
 		}
 +#ifdef CHROOT
-+	user_dir = xstrdup(pw->pw_dir);
-+	new_root = user_dir + 1;
+		user_dir = xstrdup(pw->pw_dir);
+		new_root = user_dir + 1;
+
+		while((new_root = strchr(new_root, '.')) != NULL) {
+			new_root--;
+			if(strncmp(new_root, "/./", 3) == 0) {
+				*new_root = '\0';
+				new_root += 2;
+
+				if(chroot(user_dir) != 0)
+					fatal("Couldn't chroot to user directory %s", user_dir);
+				pw->pw_dir = new_root;
+				break;
+			}
 +
-+	while((new_root = strchr(new_root, '.')) != NULL) {
-+		new_root--;
-+		if(strncmp(new_root, "/./", 3) == 0) {
-+			*new_root = '\0';
 +			new_root += 2;
-+
-+			if(chroot(user_dir) != 0)
-+				fatal("Couldn't chroot to user directory %s", user_dir);
-+			pw->pw_dir = new_root;
-+			break;
 +		}
-+
-+		new_root += 2;
-+	}
 +#endif /* CHROOT */
-+	permanently_set_uid(pw);
+		/* Permanently switch to the desired uid. */
+		permanently_set_uid(pw);
 #else
 # if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
 		/* Sets login uid for accounting */
-@@ -1322,7 +1491,16 @@
- 		 * Reestablish them here.
- 		 */
- 		if (options.use_pam) {
-			do_pam_session();
-+			/* check if we have a pathname in the ttyname */
-+			shorttty = rindex( s->tty, '/' );
-+			if (shorttty != NULL ) {
-+				/* use only the short filename to check */
-+				shorttty ++;
-+			} else {
-+				/* nothing found, use the whole name found */
-+				shorttty = s->tty;
-+			}
-+			do_pam_session(s->pw->pw_name, shorttty);
- 			do_pam_setcred(0);
- 		}
- # endif /* USE_PAM */
-@@ -1417,7 +1595,7 @@
- 	 * initgroups, because at least on Solaris 2.3 it leaves file
- 	 * descriptors open.
- 	 */
-	for (i = 3; i < 64; i++)
-+	for (i = 3; i < getdtablesize(); i++)
- 		close(i);
- }
+@@ -1472,6 +1526,9 @@
+ 	char *argv[10];
+ 	const char *shell, *shell0, *hostname = NULL;
+ 	struct passwd *pw = s->pw;
+#ifdef HAVE_LOGIN_CAP
+	int lc_requirehome;
+#endif
 
-@@ -1553,6 +1731,31 @@
+ 	/* remove hostkey from the child's memory */
+ 	destroy_sensitive_data();
+@@ -1559,6 +1616,10 @@
+ 	 */
+ 	environ = env;
+ 
+#ifdef HAVE_LOGIN_CAP
+	lc_requirehome = login_getcapbool(lc, "requirehome", 0);
+	login_close(lc);
+#endif
+ #if defined(KRB5) && defined(USE_AFS)
+ 	/*
+ 	 * At this point, we check to see if AFS is active and if we have
+@@ -1590,7 +1651,7 @@
+ 		fprintf(stderr, "Could not chdir to home directory %s: %s\n",
+ 		    pw->pw_dir, strerror(errno));
+ #ifdef HAVE_LOGIN_CAP
+-		if (login_getcapbool(lc, "requirehome", 0))
+		if (lc_requirehome)
 			exit(1);
 #endif
 	}
-+
-+#ifdef __FreeBSD__
-+  	if (!options.use_login) {
-+		/*
-+		 * If the password change time is set and has passed, give the
-+		 * user a password expiry notice and chance to change it.
-+		 */
-+		if (pw->pw_change != 0) {
-+			struct timeval tv;
-+
-+			(void)gettimeofday(&tv, NULL);
-+			if (tv.tv_sec >= pw->pw_change) {
-+				(void)printf(
-+				    "Sorry -- your password has expired.\n");
-+				syslog(LOG_INFO,
-+				    "%s Password expired - forcing change",
-+				    pw->pw_name);
-+				if (system("/usr/bin/passwd") != 0) {
-+					perror("/usr/bin/passwd");
-+					exit(1);
-+				}
-+			}
-+		}
-+	}
-+#endif /* __FreeBSD__ */
- 
- 	if (!options.use_login)
- 		do_rc_files(s, shell);
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@ -0,0 +1,10 @@
+--- ssh-agent.c.orig	Fri Sep  1 02:38:37 2006
+++ ssh-agent.c	Sat Sep 30 18:30:32 2006
+@@ -1036,6 +1036,7 @@
+ 	/* drop */
+ 	setegid(getgid());
+ 	setgid(getgid());
+	setuid(geteuid());
+ 
+ #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ 	/* Disable ptrace on Linux without sgid bit */
--- a/security/openssh-portable/files/patch-ssh.c
+++ b/security/openssh-portable/files/patch-ssh.c
@ -0,0 +1,26 @@
+--- ssh.c.orig	Sat Sep  2 02:32:40 2006
+++ ssh.c	Sat Sep 30 10:38:05 2006
+@@ -639,6 +640,23 @@
+ 
+ 	if (options.hostname != NULL)
+ 		host = options.hostname;
+
+	/* Find canonic host name. */
+	if (strchr(host, '.') == 0) {
+		struct addrinfo hints;
+		struct addrinfo *ai = NULL;
+		int errgai;
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = options.address_family;
+		hints.ai_flags = AI_CANONNAME;
+		hints.ai_socktype = SOCK_STREAM;
+		errgai = getaddrinfo(host, NULL, &hints, &ai);
+		if (errgai == 0) {
+			if (ai->ai_canonname != NULL)
+				host = xstrdup(ai->ai_canonname);
+			freeaddrinfo(ai);
+		}
+	}
+ 
+ 	/* force lowercase for hostkey matching */
+ 	if (options.host_key_alias != NULL) {
--- a/security/openssh-portable/files/patch-ssh_config
+++ b/security/openssh-portable/files/patch-ssh_config
@ -0,0 +1,11 @@
+--- ssh_config.orig	Tue Jun 13 00:01:10 2006
+++ ssh_config	Sat Sep 30 10:39:07 2006
+@@ -27,7 +28,7 @@
+ #   GSSAPIAuthentication no
+ #   GSSAPIDelegateCredentials no
+ #   BatchMode no
+-#   CheckHostIP yes
+#   CheckHostIP no
+ #   AddressFamily any
+ #   ConnectTimeout 0
+ #   StrictHostKeyChecking ask
--- a/security/openssh-portable/files/patch-ssh_config.5
+++ b/security/openssh-portable/files/patch-ssh_config.5
@ -0,0 +1,11 @@
+--- ssh_config.5.orig	Fri Aug  4 22:34:51 2006
+++ ssh_config.5	Sat Sep 30 10:39:07 2006
+@@ -165,7 +166,7 @@
+ .Dq no ,
+ the check will not be executed.
+ The default is
+-.Dq yes .
+.Dq no .
+ .It Cm Cipher
+ Specifies the cipher to use for encrypting the session
+ in protocol version 1.
--- a/security/openssh-portable/files/patch-sshd.8
+++ b/security/openssh-portable/files/patch-sshd.8
@ -0,0 +1,33 @@
+--- sshd.8.orig	Tue Aug 29 22:07:01 2006
+++ sshd.8	Sat Sep 30 20:05:16 2006
+@@ -65,7 +65,7 @@
+ .Nm
+ listens for connections from clients.
+ It is normally started at boot from
+-.Pa /etc/rc .
+.Pa %%PREFIX%%/etc/rc.d/%%RC_SCRIPT_NAME%% .
+ It forks a new
+ daemon for each incoming connection.
+ The forked daemons handle
+@@ -342,8 +342,9 @@
+ If the login is on a tty, records login time.
+ .It
+ Checks
+-.Pa /etc/nologin ;
+-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
+ (unless root).
+ .It
+ Changes to run with normal user privileges.
+@@ -365,7 +366,8 @@
+ exists, runs it; else if
+ .Pa /etc/ssh/sshrc
+ exists, runs
+-it; otherwise runs xauth.
+it; otherwise runs
+.Xr xauth 1 .
+ The
+ .Dq rc
+ files are given the X11
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@ -1,20 +1,23 @@
--- sshd.c.orig	Wed Jun 26 01:24:19 2002
-+++ sshd.c	Thu Jul 25 06:32:37 2002
-@@ -53,6 +53,10 @@
+--- sshd.c.patch	Sun Sep 17 01:04:46 2006
+++ sshd.c	Sat Sep 30 10:38:05 2006
+@@ -80,6 +81,13 @@
 #include <prot.h>
 #endif
 
 +#ifdef __FreeBSD__
 +#include <resolv.h>
+#ifdef GSSAPI
+#include <gssapi.h>
+#endif
 +#endif
 +
+ #include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
- #include "ssh2.h"
-@@ -1409,6 +1413,17 @@
- 	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
- 	    sizeof(on)) < 0)
- 		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+@@ -1697,6 +1705,29 @@
+ 	signal(SIGQUIT, SIG_DFL);
+ 	signal(SIGCHLD, SIG_DFL);
+ 	signal(SIGINT, SIG_DFL);
 +
 +#ifdef __FreeBSD__
 +	/*
@ -25,6 +28,18 @@
 +		debug("res_init()");         
 +		res_init();         
 +	}
+#ifdef GSSAPI
+	/*
+	 * Force GSS-API to parse its configuration and load any
+	 * mechanism plugins.
+	 */
+	{
+		gss_OID_set mechs;
+		OM_uint32 minor_status;
+		gss_indicate_mechs(&minor_status, &mechs);
+		gss_release_oid_set(&minor_status, &mechs);
+	}
+#endif
 +#endif
 
 	/*
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@ -1,18 +1,49 @@
--- sshd_config.orig	Mon May 24 02:36:24 2004
-+++ sshd_config	Mon Sep 20 05:04:48 2004
-@@ -34,6 +34,7 @@
+--- sshd_config.orig	Mon Jul 24 01:06:47 2006
+++ sshd_config	Sat Sep 30 21:52:31 2006
+@@ -34,7 +34,7 @@
+ # Authentication:
 
 #LoginGraceTime 2m
- #PermitRootLogin yes
-+PermitRootLogin no
+-#PermitRootLogin yes
+#PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 
-@@ -57,6 +58,7 @@
+@@ -52,11 +52,11 @@
+ # Don't read the user's ~/.rhosts and ~/.shosts files
+ #IgnoreRhosts yes
 
- # Change to no to disable s/key passwords
+-# To disable tunneled clear text passwords, change to no here!
+-#PasswordAuthentication yes
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
+ #PermitEmptyPasswords no
+ 
+-# Change to no to disable s/key passwords
+# Change to no to disable PAM authentication
 #ChallengeResponseAuthentication yes
-+ChallengeResponseAuthentication no
 
 # Kerberos options
- #KerberosAuthentication no
+@@ -69,7 +69,7 @@
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
+ 
+-# Set this to 'yes' to enable PAM authentication, account processing, 
+# Set this to 'no' to disable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will 
+ # be allowed through the ChallengeResponseAuthentication and
+ # PasswordAuthentication.  Depending on your PAM configuration,
+@@ -78,11 +78,11 @@
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+-#UsePAM no
+#UsePAM yes
+ 
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+-#X11Forwarding no
+#X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PrintMotd yes
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@ -0,0 +1,90 @@
+--- sshd_config.5.orig	Tue Aug 29 22:06:34 2006
+++ sshd_config.5	Sat Sep 30 10:39:07 2006
+@@ -169,9 +170,16 @@
+ By default, no banner is displayed.
+ .It Cm ChallengeResponseAuthentication
+ Specifies whether challenge-response authentication is allowed.
+-All authentication styles from
+-.Xr login.conf 5
+-are supported.
+Specifically, in
+.Fx ,
+this controls the use of PAM (see
+.Xr pam 3 )
+for authentication.
+Note that this affects the effectiveness of the
+.Cm PasswordAuthentication
+and
+.Cm PermitRootLogin
+variables.
+ The default is
+ .Dq yes .
+ .It Cm Ciphers
+@@ -554,7 +560,22 @@
+ .It Cm PasswordAuthentication
+ Specifies whether password authentication is allowed.
+ The default is
+.Dq no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
+ .Dq yes .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Dq yes ,
+and the PAM authentication policy for
+.Nm sshd
+includes
+.Xr pam_unix 8 ,
+password authentication will be allowed through the challenge-response
+mechanism regardless of the value of
+.Cm PasswordAuthentication .
+ .It Cm PermitEmptyPasswords
+ When password authentication is allowed, it specifies whether the
+ server allows login to accounts with empty password strings.
+@@ -597,7 +618,14 @@
+ or
+ .Dq no .
+ The default is
+-.Dq yes .
+.Dq no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Dq yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
+.Dq without-password .
+ .Pp
+ If this option is set to
+ .Dq without-password ,
+@@ -704,7 +732,9 @@
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
+ .It Cm RhostsRSAAuthentication
+-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
+ with successful RSA host authentication is allowed.
+ The default is
+ .Dq no .
+@@ -814,7 +844,7 @@
+ .Xr sshd 8
+ as a non-root user.
+ The default is
+-.Dq no .
+.Dq yes .
+ .It Cm UsePrivilegeSeparation
+ Specifies whether
+ .Xr sshd 8
+@@ -839,7 +874,7 @@
+ or
+ .Dq no .
+ The default is
+-.Dq no .
+.Dq yes .
+ .Pp
+ When X11 forwarding is enabled, there may be additional exposure to
+ the server and to client displays if the
--- a/security/openssh-portable/files/patch-sshpty.c
+++ b/security/openssh-portable/files/patch-sshpty.c
@ -1,12 +0,0 @@
--- sshpty.c.orig	Wed Jan 21 07:07:17 2004
-+++ sshpty.c	Wed Feb 25 11:58:54 2004
-@@ -17,6 +17,9 @@
- #ifdef HAVE_UTIL_H
- # include <util.h>
- #endif /* HAVE_UTIL_H */
-+#ifdef HAVE_LIBUTIL_H
-+#include <libutil.h>
-+#endif
- 
- #include "sshpty.h"
- #include "log.h"
--- a/security/openssh-portable/files/servconf.c.patch
+++ b/security/openssh-portable/files/servconf.c.patch
@ -1,17 +0,0 @@
--- servconf.c.orig	Sat Mar 23 11:02:41 2002
-+++ servconf.c	Sat Mar 23 11:07:39 2002
-@@ -17,12 +17,12 @@
- #endif
- #if defined(KRB5)
- #ifdef HEIMDAL
-#include <krb.h>
-+#include <krb5.h>
- #else
- /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
-  * keytab */
-#define KEYFILE "/etc/krb5.keytab"
- #endif
-+#define KEYFILE "/etc/krb5.keytab"
- #endif
- #ifdef AFS
- #include <kafs.h>