Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Fabian Groffen <grobian@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/proj/prefix:master commit in: net-misc/openssh/files/, net-misc/openssh/
Date: Wed, 28 Sep 2016 17:26:35
Message-Id: 1475083578.15e618a1fdd34e952d0485cb9bcfdc8672aa25e8.grobian@gentoo
1 commit: 15e618a1fdd34e952d0485cb9bcfdc8672aa25e8
2 Author: Fabian Groffen <grobian <AT> gentoo <DOT> org>
3 AuthorDate: Wed Sep 28 17:26:18 2016 +0000
4 Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org>
5 CommitDate: Wed Sep 28 17:26:18 2016 +0000
6 URL: https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=15e618a1
7
8 net-misc/openssh: migrate to gx86
9
10 net-misc/openssh/Manifest | 13 -
11 .../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch | 127 --------
12 .../openssh-5.9_p1-sshd-gssapi-multihomed.patch | 184 -----------
13 .../openssh/files/openssh-6.3_p1-x509-glue.patch | 16 -
14 .../files/openssh-6.3_p1-x509-hpn14v2-glue.patch | 51 ----
15 .../files/openssh-6.5_p1-hpn-cipher-align.patch | 114 -------
16 .../openssh/files/openssh-6.6.1_p1-x509-glue.patch | 17 --
17 .../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch | 26 --
18 .../files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch | 26 --
19 net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 ----------
20 .../openssh-6.6_p1-openssl-ignore-status.patch | 17 --
21 .../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 -
22 .../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 --
23 .../openssh-6.7_p1-openssl-ignore-status.patch | 17 --
24 .../files/openssh-6.7_p1-xmalloc-include.patch | 11 -
25 .../files/openssh-6.8_p1-sctp-x509-glue.patch | 90 ------
26 .../files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch | 40 ---
27 .../openssh-6.8_p1-sshd-gssapi-multihomed.patch | 162 ----------
28 .../openssh-6.8_p1-ssl-engine-configure.patch | 31 --
29 .../files/openssh-6.8_p1-teraterm-hpn-glue.patch | 15 -
30 .../openssh/files/openssh-6.8_p1-teraterm.patch | 69 -----
31 .../files/openssh-6.9_p1-x509-warnings.patch | 24 --
32 net-misc/openssh/files/sshd.confd | 21 --
33 net-misc/openssh/files/sshd.pam_include.2 | 4 -
34 net-misc/openssh/files/sshd.rc6.4 | 85 ------
35 net-misc/openssh/files/sshd.service | 11 -
36 net-misc/openssh/files/sshd.socket | 10 -
37 net-misc/openssh/files/sshd_at.service | 8 -
38 net-misc/openssh/metadata.xml | 40 ---
39 net-misc/openssh/openssh-6.8_p1-r5.ebuild | 336 ---------------------
40 net-misc/openssh/openssh-6.9_p1-r2.ebuild | 315 -------------------
41 net-misc/openssh/openssh-7.1_p2-r1.ebuild | 327 --------------------
42 32 files changed, 2416 deletions(-)
43
44 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
45 deleted file mode 100644
46 index 5ad3eda..0000000
47 --- a/net-misc/openssh/Manifest
48 +++ /dev/null
49 @@ -1,13 +0,0 @@
50 -DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476
51 -DIST openssh-6.8_p1-x509-8.3.1-glue.patch.xz 141096 SHA256 1e8c911b1403e47a37c24d0ebbfa36d46204c06b38d93ed9ae6d2a0953d3bba6 SHA512 942f09f20d898b4865707b5b48012545d7f8171353427ddb773cffaf1b8c664f48375cb85292592ccba63da695e99def42d17c52a61bb93b89827f53cf3ad918 WHIRLPOOL 66ace7a191a562485ee144516912dee52c84fcfbe8b710b3429211cd9d849dc24d4419c5fa6fd3968f9ab250cf474a692db326c2ac3ef930081b8a5777875a73
52 -DIST openssh-6.8p1+x509-8.3.1.diff.gz 351502 SHA256 64d0b7cd428352a2d77d9decb02ec744eca4433bcb35288745859eb19ccf4fcf SHA512 6525b7ddae13752f145bda42fe6d65ec40a8c9d44766b749cf49ff904d6b1941e088e560c2a532a3dc0003ac1e29d56a28ea3ed1533ee5abcd696cd80ae88d8e WHIRLPOOL 32f45411d250b7c46f2408bfca6b12223e901fa15c27db449c06cd5b1ab7a0e853fffed5971ca635c5080d1796196a8661b8d1503bdcdb28d61e0d082f28590b
53 -DIST openssh-6.8p1-r5-hpnssh14v5.tar.xz 27240 SHA256 4fe25701ea8717e88bf2355a76fb5370819f927af99efba3e4f06fe3264fbf58 SHA512 29a2086c6bf868bb1c8d2601e1ac83a82de48ed9f9cf6a3762b3f899112d939507b563d0117b4bec87008dd0434e0735e4a4f8c779a64d719d3873224918d16c WHIRLPOOL a4f3e841530d08363c94dfb55911e79f130668e459dc2e1ebb477c14dcf7d3bd71ad63c55e0ff2ba80684e67a8f40867b0a9fd01aabe3fe1533ef604f84a76b3
54 -DIST openssh-6.8p1.tar.gz 1475953 SHA256 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e SHA512 7c4457e4525a56cdabb1164ffaf6bed1c094294ae7d06dd3484dcffcd87738fcffe7019b6cae0032c254b0389832644522d5a9f2603b50637ffeb9999b5fcede WHIRLPOOL 3ac9cc4fe0b11ca66c0220618d0ef0c5925e5605d4d3d55c9579b708c478cf8613b7575fe213aba57054d97d3290baac4eba26b7a630d22477ec947f22327a5a
55 -DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb SHA512 596cb65408db06fb299b92160147685b001dc23929ecf5c4bd11a8b0475d79695c7b4dbe8a878d7fbcd944155935fd62a14e35c79204b39e413f5eaa961ef76c WHIRLPOOL 771fa0f4f6a20ed49ba201605fcdcbfc41a0f094ef4a89ca2433ee51b7c8bf99cc266f26bd7877c61ff92e9a50c7d65119ba75ba64eaa029bd567bab3ee243c2
56 -DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7
57 -DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f
58 -DIST openssh-7.1p2+x509-8.7.diff.gz 438584 SHA256 23030dff924a78718686fad6442b1083293b0c2a057714291bd0af9ed8ef5868 SHA512 d9aa43f5fc06b88b442285a9f9a15d01b52796c36f0cb228c756edca473a89eadb296c45503a14514fdb156d3bc9d90ff33271ccfa9461a9bb2b798a581cc007 WHIRLPOOL ef3f4486fff0addad1a6bdcde3ba606d55d6e3ea5d2cd6e79bfe2494d660c38f0e9f1c157af72c3b6ad5e6eb3731168f975b26c94f8357154e54c08e5d876652
59 -DIST openssh-7.1p2-hpnssh14v10.tar.xz 22388 SHA256 729e20a2627ca403da6cfff8ef251c03421022123a21c68003181b4e5409bcc5 SHA512 b8e88ac5891ed632416db8da6377512614f19f5f7a7c093b55ecfe3e3f50979c61c0674e9381c316632d8daed90f8cce958c9b77bd00084a4ee1b0297cf321ba WHIRLPOOL c466cc33dc4a40e9466148beb154c539e095ac1b9cdcc5b3d235cbcf12ca10255d63da2f0e1da10d1afa1a0d2ebd436ca0d9e542c732df6ef67fb8f4d2d0192c
60 -DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd SHA512 d5be60f3645ec238b21e1f2dfd801b2136146674bbc086ebdb14be516c613819bc87c84b5089f3a45fe6e137a7458404f79f42572c69d91571e45ebed9d5e3af WHIRLPOOL 9f48952b82db3983c20e84bcff5b6761f5b284174072c828698dced3a53ca8bbc2e1f89d2e82b62a68f4606b52c980fcf097250f86c1a67ad343d20e3ec9d1f4
61 -DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b
62 -DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
63
64 diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
65 deleted file mode 100644
66 index c81ae5c..0000000
67 --- a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
68 +++ /dev/null
69 @@ -1,127 +0,0 @@
70 -http://bugs.gentoo.org/165444
71 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008
72 -
73 -Index: readconf.c
74 -===================================================================
75 -RCS file: /cvs/openssh/readconf.c,v
76 -retrieving revision 1.135
77 -diff -u -r1.135 readconf.c
78 ---- readconf.c 5 Aug 2006 02:39:40 -0000 1.135
79 -+++ readconf.c 19 Aug 2006 11:59:52 -0000
80 -@@ -126,6 +126,7 @@
81 - oClearAllForwardings, oNoHostAuthenticationForLocalhost,
82 - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
83 - oAddressFamily, oGssAuthentication, oGssDelegateCreds,
84 -+ oGssTrustDns,
85 - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
86 - oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
87 - oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
88 -@@ -163,9 +164,11 @@
89 - #if defined(GSSAPI)
90 - { "gssapiauthentication", oGssAuthentication },
91 - { "gssapidelegatecredentials", oGssDelegateCreds },
92 -+ { "gssapitrustdns", oGssTrustDns },
93 - #else
94 - { "gssapiauthentication", oUnsupported },
95 - { "gssapidelegatecredentials", oUnsupported },
96 -+ { "gssapitrustdns", oUnsupported },
97 - #endif
98 - { "fallbacktorsh", oDeprecated },
99 - { "usersh", oDeprecated },
100 -@@ -444,6 +447,10 @@
101 - intptr = &options->gss_deleg_creds;
102 - goto parse_flag;
103 -
104 -+ case oGssTrustDns:
105 -+ intptr = &options->gss_trust_dns;
106 -+ goto parse_flag;
107 -+
108 - case oBatchMode:
109 - intptr = &options->batch_mode;
110 - goto parse_flag;
111 -@@ -1010,6 +1017,7 @@
112 - options->challenge_response_authentication = -1;
113 - options->gss_authentication = -1;
114 - options->gss_deleg_creds = -1;
115 -+ options->gss_trust_dns = -1;
116 - options->password_authentication = -1;
117 - options->kbd_interactive_authentication = -1;
118 - options->kbd_interactive_devices = NULL;
119 -@@ -1100,6 +1108,8 @@
120 - options->gss_authentication = 0;
121 - if (options->gss_deleg_creds == -1)
122 - options->gss_deleg_creds = 0;
123 -+ if (options->gss_trust_dns == -1)
124 -+ options->gss_trust_dns = 0;
125 - if (options->password_authentication == -1)
126 - options->password_authentication = 1;
127 - if (options->kbd_interactive_authentication == -1)
128 -Index: readconf.h
129 -===================================================================
130 -RCS file: /cvs/openssh/readconf.h,v
131 -retrieving revision 1.63
132 -diff -u -r1.63 readconf.h
133 ---- readconf.h 5 Aug 2006 02:39:40 -0000 1.63
134 -+++ readconf.h 19 Aug 2006 11:59:52 -0000
135 -@@ -45,6 +45,7 @@
136 - /* Try S/Key or TIS, authentication. */
137 - int gss_authentication; /* Try GSS authentication */
138 - int gss_deleg_creds; /* Delegate GSS credentials */
139 -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
140 - int password_authentication; /* Try password
141 - * authentication. */
142 - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
143 -Index: ssh_config.5
144 -===================================================================
145 -RCS file: /cvs/openssh/ssh_config.5,v
146 -retrieving revision 1.97
147 -diff -u -r1.97 ssh_config.5
148 ---- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97
149 -+++ ssh_config.5 19 Aug 2006 11:59:53 -0000
150 -@@ -483,7 +483,16 @@
151 - Forward (delegate) credentials to the server.
152 - The default is
153 - .Dq no .
154 --Note that this option applies to protocol version 2 only.
155 -+Note that this option applies to protocol version 2 connections using GSSAPI.
156 -+.It Cm GSSAPITrustDns
157 -+Set to
158 -+.Dq yes to indicate that the DNS is trusted to securely canonicalize
159 -+the name of the host being connected to. If
160 -+.Dq no, the hostname entered on the
161 -+command line will be passed untouched to the GSSAPI library.
162 -+The default is
163 -+.Dq no .
164 -+This option only applies to protocol version 2 connections using GSSAPI.
165 - .It Cm HashKnownHosts
166 - Indicates that
167 - .Xr ssh 1
168 -Index: sshconnect2.c
169 -===================================================================
170 -RCS file: /cvs/openssh/sshconnect2.c,v
171 -retrieving revision 1.151
172 -diff -u -r1.151 sshconnect2.c
173 ---- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151
174 -+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000
175 -@@ -499,6 +499,12 @@
176 - static u_int mech = 0;
177 - OM_uint32 min;
178 - int ok = 0;
179 -+ const char *gss_host;
180 -+
181 -+ if (options.gss_trust_dns)
182 -+ gss_host = get_canonical_hostname(1);
183 -+ else
184 -+ gss_host = authctxt->host;
185 -
186 - /* Try one GSSAPI method at a time, rather than sending them all at
187 - * once. */
188 -@@ -511,7 +517,7 @@
189 - /* My DER encoding requires length<128 */
190 - if (gss_supported->elements[mech].length < 128 &&
191 - ssh_gssapi_check_mechanism(&gssctxt,
192 -- &gss_supported->elements[mech], authctxt->host)) {
193 -+ &gss_supported->elements[mech], gss_host)) {
194 - ok = 1; /* Mechanism works */
195 - } else {
196 - mech++;
197
198 diff --git a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
199 deleted file mode 100644
200 index 6377d03..0000000
201 --- a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
202 +++ /dev/null
203 @@ -1,184 +0,0 @@
204 -Index: gss-serv.c
205 -===================================================================
206 -RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
207 -retrieving revision 1.22
208 -diff -u -p -r1.22 gss-serv.c
209 ---- gss-serv.c 8 May 2008 12:02:23 -0000 1.22
210 -+++ gss-serv.c 11 Jan 2010 05:38:29 -0000
211 -@@ -41,9 +41,12 @@
212 - #include "channels.h"
213 - #include "session.h"
214 - #include "misc.h"
215 -+#include "servconf.h"
216 -
217 - #include "ssh-gss.h"
218 -
219 -+extern ServerOptions options;
220 -+
221 - static ssh_gssapi_client gssapi_client =
222 - { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
223 - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
224 -@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
225 - char lname[MAXHOSTNAMELEN];
226 - gss_OID_set oidset;
227 -
228 -- gss_create_empty_oid_set(&status, &oidset);
229 -- gss_add_oid_set_member(&status, ctx->oid, &oidset);
230 --
231 -- if (gethostname(lname, MAXHOSTNAMELEN)) {
232 -- gss_release_oid_set(&status, &oidset);
233 -- return (-1);
234 -- }
235 -+ if (options.gss_strict_acceptor) {
236 -+ gss_create_empty_oid_set(&status, &oidset);
237 -+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
238 -+
239 -+ if (gethostname(lname, MAXHOSTNAMELEN)) {
240 -+ gss_release_oid_set(&status, &oidset);
241 -+ return (-1);
242 -+ }
243 -+
244 -+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
245 -+ gss_release_oid_set(&status, &oidset);
246 -+ return (ctx->major);
247 -+ }
248 -+
249 -+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
250 -+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
251 -+ NULL, NULL)))
252 -+ ssh_gssapi_error(ctx);
253 -
254 -- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
255 - gss_release_oid_set(&status, &oidset);
256 - return (ctx->major);
257 -+ } else {
258 -+ ctx->name = GSS_C_NO_NAME;
259 -+ ctx->creds = GSS_C_NO_CREDENTIAL;
260 - }
261 --
262 -- if ((ctx->major = gss_acquire_cred(&ctx->minor,
263 -- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
264 -- ssh_gssapi_error(ctx);
265 --
266 -- gss_release_oid_set(&status, &oidset);
267 -- return (ctx->major);
268 -+ return GSS_S_COMPLETE;
269 - }
270 -
271 - /* Privileged */
272 -Index: servconf.c
273 -===================================================================
274 -RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
275 -retrieving revision 1.201
276 -diff -u -p -r1.201 servconf.c
277 ---- servconf.c 10 Jan 2010 03:51:17 -0000 1.201
278 -+++ servconf.c 11 Jan 2010 05:34:56 -0000
279 -@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
280 - options->kerberos_get_afs_token = -1;
281 - options->gss_authentication=-1;
282 - options->gss_cleanup_creds = -1;
283 -+ options->gss_strict_acceptor = -1;
284 - options->password_authentication = -1;
285 - options->kbd_interactive_authentication = -1;
286 - options->challenge_response_authentication = -1;
287 -@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
288 - options->gss_authentication = 0;
289 - if (options->gss_cleanup_creds == -1)
290 - options->gss_cleanup_creds = 1;
291 -+ if (options->gss_strict_acceptor == -1)
292 -+ options->gss_strict_acceptor = 0;
293 - if (options->password_authentication == -1)
294 - options->password_authentication = 1;
295 - if (options->kbd_interactive_authentication == -1)
296 -@@ -277,7 +280,8 @@ typedef enum {
297 - sBanner, sUseDNS, sHostbasedAuthentication,
298 - sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
299 - sClientAliveCountMax, sAuthorizedKeysFile,
300 -- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
301 -+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
302 -+ sAcceptEnv, sPermitTunnel,
303 - sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
304 - sUsePrivilegeSeparation, sAllowAgentForwarding,
305 - sZeroKnowledgePasswordAuthentication, sHostCertificate,
306 -@@ -327,9 +331,11 @@ static struct {
307 - #ifdef GSSAPI
308 - { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
309 - { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
310 -+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
311 - #else
312 - { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
313 - { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
314 -+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
315 - #endif
316 - { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
317 - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
318 -@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
319 -
320 - case sGssCleanupCreds:
321 - intptr = &options->gss_cleanup_creds;
322 -+ goto parse_flag;
323 -+
324 -+ case sGssStrictAcceptor:
325 -+ intptr = &options->gss_strict_acceptor;
326 - goto parse_flag;
327 -
328 - case sPasswordAuthentication:
329 -Index: servconf.h
330 -===================================================================
331 -RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
332 -retrieving revision 1.89
333 -diff -u -p -r1.89 servconf.h
334 ---- servconf.h 9 Jan 2010 23:04:13 -0000 1.89
335 -+++ servconf.h 11 Jan 2010 05:32:28 -0000
336 -@@ -92,6 +92,7 @@ typedef struct {
337 - * authenticated with Kerberos. */
338 - int gss_authentication; /* If true, permit GSSAPI authentication */
339 - int gss_cleanup_creds; /* If true, destroy cred cache on logout */
340 -+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
341 - int password_authentication; /* If true, permit password
342 - * authentication. */
343 - int kbd_interactive_authentication; /* If true, permit */
344 -Index: sshd_config
345 -===================================================================
346 -RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
347 -retrieving revision 1.81
348 -diff -u -p -r1.81 sshd_config
349 ---- sshd_config 8 Oct 2009 14:03:41 -0000 1.81
350 -+++ sshd_config 11 Jan 2010 05:32:28 -0000
351 -@@ -69,6 +69,7 @@
352 - # GSSAPI options
353 - #GSSAPIAuthentication no
354 - #GSSAPICleanupCredentials yes
355 -+#GSSAPIStrictAcceptorCheck yes
356 -
357 - # Set this to 'yes' to enable PAM authentication, account processing,
358 - # and session processing. If this is enabled, PAM authentication will
359 -Index: sshd_config.5
360 -===================================================================
361 -RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
362 -retrieving revision 1.116
363 -diff -u -p -r1.116 sshd_config.5
364 ---- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116
365 -+++ sshd_config.5 11 Jan 2010 05:37:20 -0000
366 -@@ -386,6 +386,21 @@ on logout.
367 - The default is
368 - .Dq yes .
369 - Note that this option applies to protocol version 2 only.
370 -+.It Cm GSSAPIStrictAcceptorCheck
371 -+Determines whether to be strict about the identity of the GSSAPI acceptor
372 -+a client authenticates against.
373 -+If set to
374 -+.Dq yes
375 -+then the client must authenticate against the
376 -+.Pa host
377 -+service on the current hostname.
378 -+If set to
379 -+.Dq no
380 -+then the client may authenticate against any service key stored in the
381 -+machine's default store.
382 -+This facility is provided to assist with operation on multi homed machines.
383 -+The default is
384 -+.Dq yes .
385 - .It Cm HostbasedAuthentication
386 - Specifies whether rhosts or /etc/hosts.equiv authentication together
387 - with successful public key client host authentication is allowed
388
389 diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch
390 deleted file mode 100644
391 index f70d44a..0000000
392 --- a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch
393 +++ /dev/null
394 @@ -1,16 +0,0 @@
395 -make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch
396 -
397 ---- openssh-6.3p1+x509-7.6.diff
398 -+++ openssh-6.3p1+x509-7.6.diff
399 -@@ -14784,10 +14784,9 @@
400 - .It Cm ChallengeResponseAuthentication
401 - Specifies whether challenge-response authentication is allowed (e.g. via
402 - PAM or though authentication styles supported in
403 --@@ -490,6 +567,16 @@
404 -+@@ -490,5 +567,15 @@
405 - The default is
406 - .Dq yes .
407 -- Note that this option applies to protocol version 2 only.
408 - +.It Cm HostbasedAlgorithms
409 - +Specifies the protocol version 2 algorithms used in
410 - +.Dq hostbased
411
412 diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch
413 deleted file mode 100644
414 index c3647d5..0000000
415 --- a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch
416 +++ /dev/null
417 @@ -1,51 +0,0 @@
418 ---- openssh-6.3p1/Makefile.in
419 -+++ openssh-6.3p1/Makefile.in
420 -@@ -45,7 +45,7 @@
421 - CC=@CC@
422 - LD=@LD@
423 - CFLAGS=@CFLAGS@
424 --CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
425 -+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
426 - LIBS=@LIBS@
427 - K5LIBS=@K5LIBS@
428 - GSSLIBS=@GSSLIBS@
429 -@@ -53,6 +53,7 @@
430 - SSHDLIBS=@SSHDLIBS@
431 - LIBEDIT=@LIBEDIT@
432 - LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
433 -+CPPFLAGS+=@LDAP_CPPFLAGS@
434 - AR=@AR@
435 - AWK=@AWK@
436 - RANLIB=@RANLIB@
437 ---- openssh-6.3p1/sshconnect.c
438 -+++ openssh-6.3p1/sshconnect.c
439 -@@ -465,7 +465,7 @@
440 - {
441 - /* Send our own protocol version identification. */
442 - if (compat20) {
443 -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
444 -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
445 - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
446 - } else {
447 - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
448 ---- openssh-6.3p1/sshd.c
449 -+++ openssh-6.3p1/sshd.c
450 -@@ -472,8 +472,8 @@
451 - comment = "";
452 - }
453 -
454 -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
455 -- major, minor, SSH_VERSION, comment,
456 -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
457 -+ major, minor, SSH_VERSION,
458 - *options.version_addendum == '\0' ? "" : " ",
459 - options.version_addendum, newline);
460 -
461 ---- openssh-6.3p1/version.h
462 -+++ openssh-6.3p1/version.h
463 -@@ -3,4 +3,5 @@
464 - #define SSH_VERSION "OpenSSH_6.3"
465 -
466 - #define SSH_PORTABLE "p1"
467 -+#define SSH_X509 " PKIX"
468 - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
469
470 diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
471 deleted file mode 100644
472 index cfb060f..0000000
473 --- a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
474 +++ /dev/null
475 @@ -1,114 +0,0 @@
476 -https://bugs.gentoo.org/498632
477 -
478 -make sure we do not use unaligned loads/stores as some arches really hate that.
479 -
480 ---- a/cipher-ctr-mt.c
481 -+++ b/cipher-ctr-mt.c
482 -@@ -58,8 +58,16 @@
483 - /* Collect thread stats and print at cancellation when in debug mode */
484 - /* #define CIPHER_THREAD_STATS */
485 -
486 --/* Use single-byte XOR instead of 8-byte XOR */
487 --/* #define CIPHER_BYTE_XOR */
488 -+/* Can the system do unaligned loads natively? */
489 -+#if defined(__aarch64__) || \
490 -+ defined(__i386__) || \
491 -+ defined(__powerpc__) || \
492 -+ defined(__x86_64__)
493 -+# define CIPHER_UNALIGNED_OK
494 -+#endif
495 -+#if defined(__SIZEOF_INT128__)
496 -+# define CIPHER_INT128_OK
497 -+#endif
498 - /*-------------------- END TUNABLES --------------------*/
499 -
500 -
501 -@@ -285,8 +293,20 @@ thread_loop(void *x)
502 -
503 - static int
504 - ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
505 -- u_int len)
506 -+ size_t len)
507 - {
508 -+ typedef union {
509 -+#ifdef CIPHER_INT128_OK
510 -+ __uint128_t *u128;
511 -+#endif
512 -+ uint64_t *u64;
513 -+ uint32_t *u32;
514 -+ uint8_t *u8;
515 -+ const uint8_t *cu8;
516 -+ uintptr_t u;
517 -+ } ptrs_t;
518 -+ ptrs_t destp, srcp, bufp;
519 -+ uintptr_t align;
520 - struct ssh_aes_ctr_ctx *c;
521 - struct kq *q, *oldq;
522 - int ridx;
523 -@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
524 - ridx = c->ridx;
525 -
526 - /* src already padded to block multiple */
527 -+ srcp.cu8 = src;
528 -+ destp.u8 = dest;
529 - while (len > 0) {
530 - buf = q->keys[ridx];
531 -+ bufp.u8 = buf;
532 -
533 --#ifdef CIPHER_BYTE_XOR
534 -- dest[0] = src[0] ^ buf[0];
535 -- dest[1] = src[1] ^ buf[1];
536 -- dest[2] = src[2] ^ buf[2];
537 -- dest[3] = src[3] ^ buf[3];
538 -- dest[4] = src[4] ^ buf[4];
539 -- dest[5] = src[5] ^ buf[5];
540 -- dest[6] = src[6] ^ buf[6];
541 -- dest[7] = src[7] ^ buf[7];
542 -- dest[8] = src[8] ^ buf[8];
543 -- dest[9] = src[9] ^ buf[9];
544 -- dest[10] = src[10] ^ buf[10];
545 -- dest[11] = src[11] ^ buf[11];
546 -- dest[12] = src[12] ^ buf[12];
547 -- dest[13] = src[13] ^ buf[13];
548 -- dest[14] = src[14] ^ buf[14];
549 -- dest[15] = src[15] ^ buf[15];
550 --#else
551 -- *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
552 -- *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
553 -- *(uint64_t *)(buf + 8);
554 --#endif
555 -+ /* figure out the alignment on the fly */
556 -+#ifdef CIPHER_UNALIGNED_OK
557 -+ align = 0;
558 -+#else
559 -+ align = destp.u | srcp.u | bufp.u;
560 -+#endif
561 -+
562 -+#ifdef CIPHER_INT128_OK
563 -+ if ((align & 0xf) == 0) {
564 -+ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0];
565 -+ } else
566 -+#endif
567 -+ if ((align & 0x7) == 0) {
568 -+ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0];
569 -+ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1];
570 -+ } else if ((align & 0x3) == 0) {
571 -+ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0];
572 -+ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1];
573 -+ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2];
574 -+ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3];
575 -+ } else {
576 -+ size_t i;
577 -+ for (i = 0; i < AES_BLOCK_SIZE; ++i)
578 -+ dest[i] = src[i] ^ buf[i];
579 -+ }
580 -
581 -- dest += 16;
582 -- src += 16;
583 -- len -= 16;
584 -+ destp.u += AES_BLOCK_SIZE;
585 -+ srcp.u += AES_BLOCK_SIZE;
586 -+ len -= AES_BLOCK_SIZE;
587 - ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
588 -
589 - /* Increment read index, switch queues on rollover */
590
591 diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch
592 deleted file mode 100644
593 index 2a34ee9..0000000
594 --- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch
595 +++ /dev/null
596 @@ -1,17 +0,0 @@
597 -Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch.
598 -
599 ---- openssh-6.6p1+x509-8.0.diff
600 -+++ openssh-6.6p1+x509-8.0.diff
601 -@@ -16337,10 +16337,10 @@
602 - .It Cm ChallengeResponseAuthentication
603 - Specifies whether challenge-response authentication is allowed (e.g. via
604 - PAM or though authentication styles supported in
605 --@@ -499,6 +576,16 @@
606 -+@@ -514,6 +591,16 @@
607 -+ This facility is provided to assist with operation on multi homed machines.
608 - The default is
609 - .Dq yes .
610 -- Note that this option applies to protocol version 2 only.
611 - +.It Cm HostbasedAlgorithms
612 - +Specifies the protocol version 2 algorithms used in
613 - +.Dq hostbased
614
615 diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
616 deleted file mode 100644
617 index c76015d..0000000
618 --- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
619 +++ /dev/null
620 @@ -1,26 +0,0 @@
621 -make the hpn patch apply when the x509 patch has also been applied
622 -
623 ---- openssh-6.6.1p1-hpnssh14v4.diff
624 -+++ openssh-6.6.1p1-hpnssh14v4.diff
625 -@@ -1742,18 +1742,14 @@
626 - if (options->ip_qos_interactive == -1)
627 - options->ip_qos_interactive = IPTOS_LOWDELAY;
628 - if (options->ip_qos_bulk == -1)
629 --@@ -345,9 +393,10 @@
630 -+@@ -345,6 +393,7 @@
631 - sUsePrivilegeSeparation, sAllowAgentForwarding,
632 - sHostCertificate,
633 - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
634 --+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
635 -++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
636 - sKexAlgorithms, sIPQoS, sVersionAddendum,
637 - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
638 --- sAuthenticationMethods, sHostKeyAgent,
639 --+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
640 -- sDeprecated, sUnsupported
641 -- } ServerOpCodes;
642 --
643 -+ sAuthenticationMethods, sHostKeyAgent,
644 - @@ -468,6 +517,10 @@
645 - { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
646 - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
647
648 diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch
649 deleted file mode 100644
650 index beb2292..0000000
651 --- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch
652 +++ /dev/null
653 @@ -1,26 +0,0 @@
654 -make the hpn patch apply when the x509 patch has also been applied
655 -
656 ---- openssh-6.6.1p1-hpnssh14v5.diff
657 -+++ openssh-6.6.1p1-hpnssh14v5.diff
658 -@@ -1742,18 +1742,14 @@
659 - if (options->ip_qos_interactive == -1)
660 - options->ip_qos_interactive = IPTOS_LOWDELAY;
661 - if (options->ip_qos_bulk == -1)
662 --@@ -345,9 +392,10 @@
663 -+@@ -345,6 +392,7 @@
664 - sUsePrivilegeSeparation, sAllowAgentForwarding,
665 - sHostCertificate,
666 - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
667 --+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
668 -++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
669 - sKexAlgorithms, sIPQoS, sVersionAddendum,
670 - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
671 --- sAuthenticationMethods, sHostKeyAgent,
672 --+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
673 -- sDeprecated, sUnsupported
674 -- } ServerOpCodes;
675 --
676 -+ sAuthenticationMethods, sHostKeyAgent,
677 - @@ -468,6 +516,10 @@
678 - { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
679 - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
680
681 diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch b/net-misc/openssh/files/openssh-6.6.1_p1.patch
682 deleted file mode 100644
683 index 2a8a87c..0000000
684 --- a/net-misc/openssh/files/openssh-6.6.1_p1.patch
685 +++ /dev/null
686 @@ -1,167 +0,0 @@
687 -Hi,
688 -
689 -So I screwed up when writing the support for the curve25519 KEX method
690 -that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
691 -leading zero bytes where they should have been skipped. The impact of
692 -this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
693 -peer that implements curve25519-sha256 at libssh.org properly about 0.2%
694 -of the time (one in every 512ish connections).
695 -
696 -We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
697 -key exchange for previous versions, but I'd recommend distributors
698 -of OpenSSH apply this patch so the affected code doesn't become
699 -too entrenched in LTS releases.
700 -
701 -The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
702 -to distinguish itself from the incorrect versions so the compatibility
703 -code to disable the affected KEX isn't activated.
704 -
705 -I've committed this on the 6.6 branch too.
706 -
707 -Apologies for the hassle.
708 -
709 --d
710 -
711 -Index: version.h
712 -===================================================================
713 -RCS file: /var/cvs/openssh/version.h,v
714 -retrieving revision 1.82
715 -diff -u -p -r1.82 version.h
716 ---- version.h 27 Feb 2014 23:01:54 -0000 1.82
717 -+++ version.h 20 Apr 2014 03:35:15 -0000
718 -@@ -1,6 +1,6 @@
719 - /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
720 -
721 --#define SSH_VERSION "OpenSSH_6.6"
722 -+#define SSH_VERSION "OpenSSH_6.6.1"
723 -
724 - #define SSH_PORTABLE "p1"
725 - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
726 -Index: compat.c
727 -===================================================================
728 -RCS file: /var/cvs/openssh/compat.c,v
729 -retrieving revision 1.82
730 -retrieving revision 1.85
731 -diff -u -p -r1.82 -r1.85
732 ---- compat.c 31 Dec 2013 01:25:41 -0000 1.82
733 -+++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
734 -@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
735 - { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
736 - { "OpenSSH_4*", 0 },
737 - { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
738 -+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
739 -+ { "OpenSSH_6.5*,"
740 -+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
741 - { "OpenSSH*", SSH_NEW_OPENSSH },
742 - { "*MindTerm*", 0 },
743 - { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
744 -@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
745 - return cipher_prop;
746 - }
747 -
748 --
749 - char *
750 - compat_pkalg_proposal(char *pkalg_prop)
751 - {
752 -@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
753 - if (*pkalg_prop == '\0')
754 - fatal("No supported PK algorithms found");
755 - return pkalg_prop;
756 -+}
757 -+
758 -+char *
759 -+compat_kex_proposal(char *kex_prop)
760 -+{
761 -+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
762 -+ return kex_prop;
763 -+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
764 -+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@××××××.org");
765 -+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
766 -+ if (*kex_prop == '\0')
767 -+ fatal("No supported key exchange algorithms found");
768 -+ return kex_prop;
769 - }
770 -
771 -Index: compat.h
772 -===================================================================
773 -RCS file: /var/cvs/openssh/compat.h,v
774 -retrieving revision 1.42
775 -retrieving revision 1.43
776 -diff -u -p -r1.42 -r1.43
777 ---- compat.h 31 Dec 2013 01:25:41 -0000 1.42
778 -+++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
779 -@@ -59,6 +59,7 @@
780 - #define SSH_BUG_RFWD_ADDR 0x02000000
781 - #define SSH_NEW_OPENSSH 0x04000000
782 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000
783 -+#define SSH_BUG_CURVE25519PAD 0x10000000
784 -
785 - void enable_compat13(void);
786 - void enable_compat20(void);
787 -@@ -66,6 +67,7 @@ void compat_datafellows(const char *
788 - int proto_spec(const char *);
789 - char *compat_cipher_proposal(char *);
790 - char *compat_pkalg_proposal(char *);
791 -+char *compat_kex_proposal(char *);
792 -
793 - extern int compat13;
794 - extern int compat20;
795 -Index: sshd.c
796 -===================================================================
797 -RCS file: /var/cvs/openssh/sshd.c,v
798 -retrieving revision 1.448
799 -retrieving revision 1.453
800 -diff -u -p -r1.448 -r1.453
801 ---- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
802 -+++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
803 -@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
804 - if (options.kex_algorithms != NULL)
805 - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
806 -
807 -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
808 -+ myproposal[PROPOSAL_KEX_ALGS]);
809 -+
810 - if (options.rekey_limit || options.rekey_interval)
811 - packet_set_rekey_limits((u_int32_t)options.rekey_limit,
812 - (time_t)options.rekey_interval);
813 -Index: sshconnect2.c
814 -===================================================================
815 -RCS file: /var/cvs/openssh/sshconnect2.c,v
816 -retrieving revision 1.197
817 -retrieving revision 1.199
818 -diff -u -p -r1.197 -r1.199
819 ---- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
820 -+++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
821 -@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
822 - }
823 - if (options.kex_algorithms != NULL)
824 - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
825 -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
826 -+ myproposal[PROPOSAL_KEX_ALGS]);
827 -
828 - if (options.rekey_limit || options.rekey_interval)
829 - packet_set_rekey_limits((u_int32_t)options.rekey_limit,
830 -Index: bufaux.c
831 -===================================================================
832 -RCS file: /var/cvs/openssh/bufaux.c,v
833 -retrieving revision 1.62
834 -retrieving revision 1.63
835 -diff -u -p -r1.62 -r1.63
836 ---- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
837 -+++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
838 -@@ -1,4 +1,4 @@
839 --/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
840 -+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
841 - /*
842 - * Author: Tatu Ylonen <ylo@××××××.fi>
843 - * Copyright (c) 1995 Tatu Ylonen <ylo@××××××.fi>, Espoo, Finland
844 -@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
845 -
846 - if (l > 8 * 1024)
847 - fatal("%s: length %u too long", __func__, l);
848 -+ /* Skip leading zero bytes */
849 -+ for (; l > 0 && *s == 0; l--, s++)
850 -+ ;
851 - p = buf = xmalloc(l + 1);
852 - /*
853 - * If most significant bit is set then prepend a zero byte to
854
855 diff --git a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch
856 deleted file mode 100644
857 index 6db6b97d..0000000
858 --- a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch
859 +++ /dev/null
860 @@ -1,17 +0,0 @@
861 -the last nibble of the openssl version represents the status. that is,
862 -whether it is a beta or release. when it comes to version checks in
863 -openssh, this component does not matter, so ignore it.
864 -
865 -https://bugzilla.mindrot.org/show_bug.cgi?id=2212
866 -
867 ---- a/entropy.c
868 -+++ b/entropy.c
869 -@@ -216,7 +216,7 @@ seed_rng(void)
870 - * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
871 - * within a patch series.
872 - */
873 -- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
874 -+ u_long version_mask = SSLeay() >= 0x1000000f ? ~0xfffffL : ~0xff0L;
875 - if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
876 - (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
877 - fatal("OpenSSL version mismatch. Built against %lx, you "
878
879 diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch
880 deleted file mode 100644
881 index 0ba3e45..0000000
882 --- a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch
883 +++ /dev/null
884 @@ -1,16 +0,0 @@
885 -Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch.
886 -
887 ---- openssh-6.6p1+x509-7.9.diff
888 -+++ openssh-6.6p1+x509-7.9.diff
889 -@@ -15473,10 +15473,9 @@
890 - .It Cm ChallengeResponseAuthentication
891 - Specifies whether challenge-response authentication is allowed (e.g. via
892 - PAM or though authentication styles supported in
893 --@@ -499,6 +576,16 @@
894 -+@@ -499,5 +576,15 @@
895 - The default is
896 - .Dq yes .
897 -- Note that this option applies to protocol version 2 only.
898 - +.It Cm HostbasedAlgorithms
899 - +Specifies the protocol version 2 algorithms used in
900 - +.Dq hostbased
901
902 diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch
903 deleted file mode 100644
904 index a69830e..0000000
905 --- a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch
906 +++ /dev/null
907 @@ -1,26 +0,0 @@
908 -make the hpn patch apply when the x509 patch has also been applied
909 -
910 ---- openssh-6.6p1-hpnssh14v4.diff
911 -+++ openssh-6.6p1-hpnssh14v4.diff
912 -@@ -1742,18 +1742,14 @@
913 - if (options->ip_qos_interactive == -1)
914 - options->ip_qos_interactive = IPTOS_LOWDELAY;
915 - if (options->ip_qos_bulk == -1)
916 --@@ -345,9 +393,10 @@
917 -+@@ -345,6 +393,7 @@
918 - sUsePrivilegeSeparation, sAllowAgentForwarding,
919 - sHostCertificate,
920 - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
921 --+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
922 -++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
923 - sKexAlgorithms, sIPQoS, sVersionAddendum,
924 - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
925 --- sAuthenticationMethods, sHostKeyAgent,
926 --+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
927 -- sDeprecated, sUnsupported
928 -- } ServerOpCodes;
929 --
930 -+ sAuthenticationMethods, sHostKeyAgent,
931 - @@ -468,6 +517,10 @@
932 - { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
933 - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
934
935 diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
936 deleted file mode 100644
937 index fa33af3..0000000
938 --- a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
939 +++ /dev/null
940 @@ -1,17 +0,0 @@
941 -the last nibble of the openssl version represents the status. that is,
942 -whether it is a beta or release. when it comes to version checks in
943 -openssh, this component does not matter, so ignore it.
944 -
945 -https://bugzilla.mindrot.org/show_bug.cgi?id=2212
946 -
947 ---- a/openbsd-compat/openssl-compat.c
948 -+++ b/openbsd-compat/openssl-compat.c
949 -@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
950 - * For versions >= 1.0.0, major,minor,status must match and library
951 - * fix version must be equal to or newer than the header.
952 - */
953 -- mask = 0xfff0000fL; /* major,minor,status */
954 -+ mask = 0xfff00000L; /* major,minor,status */
955 - hfix = (headerver & 0x000ff000) >> 12;
956 - lfix = (libver & 0x000ff000) >> 12;
957 - if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
958
959 diff --git a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch b/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch
960 deleted file mode 100644
961 index 170031d..0000000
962 --- a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch
963 +++ /dev/null
964 @@ -1,11 +0,0 @@
965 -diff -ur openssh-6.7p1.orig/ssh-rsa.c openssh-6.7p1/ssh-rsa.c
966 ---- openssh-6.7p1.orig/ssh-rsa.c 2015-02-24 14:52:54.512197868 -0800
967 -+++ openssh-6.7p1/ssh-rsa.c 2015-02-27 11:48:54.173951646 -0800
968 -@@ -34,6 +34,7 @@
969 - #include "sshkey.h"
970 - #include "digest.h"
971 - #include "evp-compat.h"
972 -+#include "xmalloc.h"
973 -
974 - /*NOTE: Do not define USE_LEGACY_RSA_... if build
975 - is with FIPS capable OpenSSL */
976
977 diff --git a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch
978 deleted file mode 100644
979 index 7b12e9a..0000000
980 --- a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch
981 +++ /dev/null
982 @@ -1,90 +0,0 @@
983 ---- openssh-6.8_p1-sctp.patch.orig 2015-03-18 17:52:40.563506822 -0700
984 -+++ openssh-6.8_p1-sctp.patch 2015-03-18 18:14:30.919753194 -0700
985 -@@ -184,34 +184,6 @@
986 - int port; /* Port to connect. */
987 - int address_family;
988 - int connection_attempts; /* Max attempts (seconds) before
989 ----- a/scp.1
990 --+++ b/scp.1
991 --@@ -19,7 +19,7 @@
992 -- .Sh SYNOPSIS
993 -- .Nm scp
994 -- .Bk -words
995 ---.Op Fl 12346BCpqrv
996 --+.Op Fl 12346BCpqrvz
997 -- .Op Fl c Ar cipher
998 -- .Op Fl F Ar ssh_config
999 -- .Op Fl i Ar identity_file
1000 --@@ -178,6 +178,7 @@ For full details of the options listed b
1001 -- .It ServerAliveCountMax
1002 -- .It StrictHostKeyChecking
1003 -- .It TCPKeepAlive
1004 --+.It Transport
1005 -- .It UpdateHostKeys
1006 -- .It UsePrivilegedPort
1007 -- .It User
1008 --@@ -218,6 +219,8 @@ and
1009 -- to print debugging messages about their progress.
1010 -- This is helpful in
1011 -- debugging connection, authentication, and configuration problems.
1012 --+.It Fl z
1013 --+Use the SCTP protocol for connection instead of TCP which is the default.
1014 -- .El
1015 -- .Sh EXIT STATUS
1016 -- .Ex -std scp
1017 - --- a/scp.c
1018 - +++ b/scp.c
1019 - @@ -395,7 +395,11 @@ main(int argc, char **argv)
1020 -@@ -471,34 +443,6 @@
1021 - int protocol; /* Supported protocol versions. */
1022 - struct ForwardOptions fwd_opts; /* forwarding options */
1023 - SyslogFacility log_facility; /* Facility for system logging. */
1024 ----- a/ssh.1
1025 --+++ b/ssh.1
1026 --@@ -43,7 +43,7 @@
1027 -- .Sh SYNOPSIS
1028 -- .Nm ssh
1029 -- .Bk -words
1030 ---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
1031 --+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
1032 -- .Op Fl b Ar bind_address
1033 -- .Op Fl c Ar cipher_spec
1034 -- .Op Fl D Oo Ar bind_address : Oc Ns Ar port
1035 --@@ -473,6 +473,7 @@ For full details of the options listed b
1036 -- .It StreamLocalBindUnlink
1037 -- .It StrictHostKeyChecking
1038 -- .It TCPKeepAlive
1039 --+.It Transport
1040 -- .It Tunnel
1041 -- .It TunnelDevice
1042 -- .It UsePrivilegedPort
1043 --@@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
1044 -- controls.
1045 -- .It Fl y
1046 -- Send log information using the
1047 --+.It Fl z
1048 --+Use the SCTP protocol for connection instead of TCP which is the default.
1049 -- .Xr syslog 3
1050 -- system module.
1051 -- By default this information is sent to stderr.
1052 - --- a/ssh.c
1053 - +++ b/ssh.c
1054 - @@ -194,12 +194,17 @@ extern int muxserver_sock;
1055 -@@ -520,13 +464,11 @@
1056 - " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
1057 - " [-F configfile] [-I pkcs11] [-i identity_file]\n"
1058 - " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n"
1059 --@@ -506,7 +512,7 @@ main(int ac, char **av)
1060 -- argv0 = av[0];
1061 -+@@ -506,4 +512,4 @@ main(int ac, char **av)
1062 -
1063 -- again:
1064 --- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
1065 --+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
1066 -- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
1067 -+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
1068 -++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
1069 -+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
1070 - switch (opt) {
1071 - case '1':
1072 - @@ -732,6 +738,11 @@ main(int ac, char **av)
1073
1074 diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch b/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch
1075 deleted file mode 100644
1076 index e14a728..0000000
1077 --- a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch
1078 +++ /dev/null
1079 @@ -1,40 +0,0 @@
1080 -https://bugs.gentoo.org/544078
1081 -https://bugzilla.mindrot.org/show_bug.cgi?id=2369
1082 -
1083 -From 117c961c8d1f0537973df5a6a937389b4b7b61b4 Mon Sep 17 00:00:00 2001
1084 -From: "djm@×××××××.org" <djm@×××××××.org>
1085 -Date: Mon, 23 Mar 2015 06:06:38 +0000
1086 -Subject: [PATCH] upstream commit
1087 -
1088 -for ssh-keygen -A, don't try (and fail) to generate ssh
1089 - v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled
1090 - without OpenSSL based on patch by Mike Frysinger; bz#2369
1091 ----
1092 - ssh-keygen.c | 8 ++++++--
1093 - 1 file changed, 6 insertions(+), 2 deletions(-)
1094 -
1095 -diff --git a/ssh-keygen.c b/ssh-keygen.c
1096 -index a3c2362..96dd8b4 100644
1097 ---- a/ssh-keygen.c
1098 -+++ b/ssh-keygen.c
1099 -@@ -948,12 +948,16 @@ do_gen_all_hostkeys(struct passwd *pw)
1100 - char *key_type_display;
1101 - char *path;
1102 - } key_types[] = {
1103 -+#ifdef WITH_OPENSSL
1104 -+#ifdef WITH_SSH1
1105 - { "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
1106 -+#endif /* WITH_SSH1 */
1107 - { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
1108 - { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
1109 - #ifdef OPENSSL_HAS_ECC
1110 - { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
1111 --#endif
1112 -+#endif /* OPENSSL_HAS_ECC */
1113 -+#endif /* WITH_OPENSSL */
1114 - { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
1115 - { NULL, NULL, NULL }
1116 - };
1117 ---
1118 -2.3.3
1119 -
1120
1121 diff --git a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch
1122 deleted file mode 100644
1123 index 48fce1e..0000000
1124 --- a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch
1125 +++ /dev/null
1126 @@ -1,162 +0,0 @@
1127 -https://bugs.gentoo.org/378361
1128 -https://bugzilla.mindrot.org/show_bug.cgi?id=928
1129 -
1130 ---- a/gss-serv.c
1131 -+++ b/gss-serv.c
1132 -@@ -41,9 +41,12 @@
1133 - #include "channels.h"
1134 - #include "session.h"
1135 - #include "misc.h"
1136 -+#include "servconf.h"
1137 -
1138 - #include "ssh-gss.h"
1139 -
1140 -+extern ServerOptions options;
1141 -+
1142 - static ssh_gssapi_client gssapi_client =
1143 - { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
1144 - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
1145 -@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
1146 - char lname[NI_MAXHOST];
1147 - gss_OID_set oidset;
1148 -
1149 -- gss_create_empty_oid_set(&status, &oidset);
1150 -- gss_add_oid_set_member(&status, ctx->oid, &oidset);
1151 --
1152 -- if (gethostname(lname, sizeof(lname))) {
1153 -- gss_release_oid_set(&status, &oidset);
1154 -- return (-1);
1155 -- }
1156 -+ if (options.gss_strict_acceptor) {
1157 -+ gss_create_empty_oid_set(&status, &oidset);
1158 -+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
1159 -+
1160 -+ if (gethostname(lname, MAXHOSTNAMELEN)) {
1161 -+ gss_release_oid_set(&status, &oidset);
1162 -+ return (-1);
1163 -+ }
1164 -+
1165 -+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
1166 -+ gss_release_oid_set(&status, &oidset);
1167 -+ return (ctx->major);
1168 -+ }
1169 -+
1170 -+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
1171 -+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
1172 -+ NULL, NULL)))
1173 -+ ssh_gssapi_error(ctx);
1174 -
1175 -- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
1176 - gss_release_oid_set(&status, &oidset);
1177 - return (ctx->major);
1178 -+ } else {
1179 -+ ctx->name = GSS_C_NO_NAME;
1180 -+ ctx->creds = GSS_C_NO_CREDENTIAL;
1181 - }
1182 --
1183 -- if ((ctx->major = gss_acquire_cred(&ctx->minor,
1184 -- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
1185 -- ssh_gssapi_error(ctx);
1186 --
1187 -- gss_release_oid_set(&status, &oidset);
1188 -- return (ctx->major);
1189 -+ return GSS_S_COMPLETE;
1190 - }
1191 -
1192 - /* Privileged */
1193 ---- a/servconf.c
1194 -+++ b/servconf.c
1195 -@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
1196 - options->kerberos_get_afs_token = -1;
1197 - options->gss_authentication=-1;
1198 - options->gss_cleanup_creds = -1;
1199 -+ options->gss_strict_acceptor = -1;
1200 - options->password_authentication = -1;
1201 - options->kbd_interactive_authentication = -1;
1202 - options->challenge_response_authentication = -1;
1203 -@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
1204 - options->gss_authentication = 0;
1205 - if (options->gss_cleanup_creds == -1)
1206 - options->gss_cleanup_creds = 1;
1207 -+ if (options->gss_strict_acceptor == -1)
1208 -+ options->gss_strict_acceptor = 0;
1209 - if (options->password_authentication == -1)
1210 - options->password_authentication = 1;
1211 - if (options->kbd_interactive_authentication == -1)
1212 -@@ -277,7 +280,8 @@ typedef enum {
1213 - sBanner, sUseDNS, sHostbasedAuthentication,
1214 - sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
1215 - sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
1216 -- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
1217 -+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
1218 -+ sAcceptEnv, sPermitTunnel,
1219 - sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
1220 - sUsePrivilegeSeparation, sAllowAgentForwarding,
1221 - sHostCertificate,
1222 -@@ -327,9 +331,11 @@ static struct {
1223 - #ifdef GSSAPI
1224 - { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
1225 - { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
1226 -+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
1227 - #else
1228 - { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
1229 - { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
1230 -+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
1231 - #endif
1232 - { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
1233 - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
1234 -@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
1235 -
1236 - case sGssCleanupCreds:
1237 - intptr = &options->gss_cleanup_creds;
1238 -+ goto parse_flag;
1239 -+
1240 -+ case sGssStrictAcceptor:
1241 -+ intptr = &options->gss_strict_acceptor;
1242 - goto parse_flag;
1243 -
1244 - case sPasswordAuthentication:
1245 ---- a/servconf.h
1246 -+++ b/servconf.h
1247 -@@ -92,6 +92,7 @@ typedef struct {
1248 - * authenticated with Kerberos. */
1249 - int gss_authentication; /* If true, permit GSSAPI authentication */
1250 - int gss_cleanup_creds; /* If true, destroy cred cache on logout */
1251 -+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
1252 - int password_authentication; /* If true, permit password
1253 - * authentication. */
1254 - int kbd_interactive_authentication; /* If true, permit */
1255 ---- a/sshd_config
1256 -+++ b/sshd_config
1257 -@@ -69,6 +69,7 @@
1258 - # GSSAPI options
1259 - #GSSAPIAuthentication no
1260 - #GSSAPICleanupCredentials yes
1261 -+#GSSAPIStrictAcceptorCheck yes
1262 -
1263 - # Set this to 'yes' to enable PAM authentication, account processing,
1264 - # and session processing. If this is enabled, PAM authentication will
1265 ---- a/sshd_config.5
1266 -+++ b/sshd_config.5
1267 -@@ -386,6 +386,21 @@ on logout.
1268 - The default is
1269 - .Dq yes .
1270 - Note that this option applies to protocol version 2 only.
1271 -+.It Cm GSSAPIStrictAcceptorCheck
1272 -+Determines whether to be strict about the identity of the GSSAPI acceptor
1273 -+a client authenticates against.
1274 -+If set to
1275 -+.Dq yes
1276 -+then the client must authenticate against the
1277 -+.Pa host
1278 -+service on the current hostname.
1279 -+If set to
1280 -+.Dq no
1281 -+then the client may authenticate against any service key stored in the
1282 -+machine's default store.
1283 -+This facility is provided to assist with operation on multi homed machines.
1284 -+The default is
1285 -+.Dq yes .
1286 - .It Cm HostbasedAcceptedKeyTypes
1287 - Specifies the key types that will be accepted for hostbased authentication
1288 - as a comma-separated pattern list.
1289
1290 diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
1291 deleted file mode 100644
1292 index 9fad386..0000000
1293 --- a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
1294 +++ /dev/null
1295 @@ -1,31 +0,0 @@
1296 -From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001
1297 -From: Mike Frysinger <vapier@g.o>
1298 -Date: Wed, 18 Mar 2015 12:37:24 -0400
1299 -Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is
1300 - set
1301 -
1302 ----
1303 - configure.ac | 6 +++---
1304 - 1 file changed, 3 insertions(+), 3 deletions(-)
1305 -
1306 -diff --git a/configure.ac b/configure.ac
1307 -index b4d6598..7806d20 100644
1308 ---- a/configure.ac
1309 -+++ b/configure.ac
1310 -@@ -2276,10 +2276,10 @@ openssl_engine=no
1311 - AC_ARG_WITH([ssl-engine],
1312 - [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
1313 - [
1314 -- if test "x$openssl" = "xno" ; then
1315 -- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
1316 -- fi
1317 - if test "x$withval" != "xno" ; then
1318 -+ if test "x$openssl" = "xno" ; then
1319 -+ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
1320 -+ fi
1321 - openssl_engine=yes
1322 - fi
1323 - ]
1324 ---
1325 -2.3.2
1326 -
1327
1328 diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch
1329 deleted file mode 100644
1330 index e72b1e6..0000000
1331 --- a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch
1332 +++ /dev/null
1333 @@ -1,15 +0,0 @@
1334 ---- a/0005-support-dynamically-sized-receive-buffers.patch
1335 -+++ b/0005-support-dynamically-sized-receive-buffers.patch
1336 -@@ -411,10 +411,10 @@ index af2f007..41b782b 100644
1337 - --- a/compat.h
1338 - +++ b/compat.h
1339 - @@ -60,6 +60,7 @@
1340 -- #define SSH_NEW_OPENSSH 0x04000000
1341 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000
1342 - #define SSH_BUG_CURVE25519PAD 0x10000000
1343 --+#define SSH_BUG_LARGEWINDOW 0x20000000
1344 -+ #define SSH_BUG_HOSTKEYS 0x20000000
1345 -++#define SSH_BUG_LARGEWINDOW 0x40000000
1346 -
1347 - void enable_compat13(void);
1348 - void enable_compat20(void);
1349
1350 diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch
1351 deleted file mode 100644
1352 index f99e92f..0000000
1353 --- a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch
1354 +++ /dev/null
1355 @@ -1,69 +0,0 @@
1356 -https://bugs.gentoo.org/547944
1357 -
1358 -From d8f391caef62378463a0e6b36f940170dadfe605 Mon Sep 17 00:00:00 2001
1359 -From: "dtucker@×××××××.org" <dtucker@×××××××.org>
1360 -Date: Fri, 10 Apr 2015 05:16:50 +0000
1361 -Subject: [PATCH] upstream commit
1362 -
1363 -Don't send hostkey advertisments
1364 - (hostkeys-00@×××××××.com) to current versions of Tera Term as they can't
1365 - handle them. Newer versions should be OK. Patch from Bryan Drewery and
1366 - IWAMOTO Kouichi, ok djm@
1367 ----
1368 - compat.c | 13 ++++++++++++-
1369 - compat.h | 3 ++-
1370 - sshd.c | 6 +++++-
1371 - 3 files changed, 19 insertions(+), 3 deletions(-)
1372 -
1373 -diff --git a/compat.c b/compat.c
1374 -index 2498168..0934de9 100644
1375 ---- a/compat.c
1376 -+++ b/compat.c
1377 -@@ -167,6 +167,17 @@ compat_datafellows(const char *version)
1378 - SSH_BUG_SCANNER },
1379 - { "Probe-*",
1380 - SSH_BUG_PROBE },
1381 -+ { "TeraTerm SSH*,"
1382 -+ "TTSSH/1.5.*,"
1383 -+ "TTSSH/2.1*,"
1384 -+ "TTSSH/2.2*,"
1385 -+ "TTSSH/2.3*,"
1386 -+ "TTSSH/2.4*,"
1387 -+ "TTSSH/2.5*,"
1388 -+ "TTSSH/2.6*,"
1389 -+ "TTSSH/2.70*,"
1390 -+ "TTSSH/2.71*,"
1391 -+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS },
1392 - { NULL, 0 }
1393 - };
1394 -
1395 -diff --git a/compat.h b/compat.h
1396 -index af2f007..83507f0 100644
1397 ---- a/compat.h
1398 -+++ b/compat.h
1399 -@@ -60,6 +60,7 @@
1400 - #define SSH_NEW_OPENSSH 0x04000000
1401 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000
1402 - #define SSH_BUG_CURVE25519PAD 0x10000000
1403 -+#define SSH_BUG_HOSTKEYS 0x20000000
1404 -
1405 - void enable_compat13(void);
1406 - void enable_compat20(void);
1407 -diff --git a/sshd.c b/sshd.c
1408 -index 6aa17fa..60b0cd4 100644
1409 ---- a/sshd.c
1410 -+++ b/sshd.c
1411 -@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh)
1412 - int i, nkeys, r;
1413 - char *fp;
1414 -
1415 -+ /* Some clients cannot cope with the hostkeys message, skip those. */
1416 -+ if (datafellows & SSH_BUG_HOSTKEYS)
1417 -+ return;
1418 -+
1419 - if ((buf = sshbuf_new()) == NULL)
1420 - fatal("%s: sshbuf_new", __func__);
1421 - for (i = nkeys = 0; i < options.num_host_key_files; i++) {
1422 ---
1423 -2.3.6
1424 -
1425
1426 diff --git a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch b/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch
1427 deleted file mode 100644
1428 index 9ce2967..0000000
1429 --- a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch
1430 +++ /dev/null
1431 @@ -1,24 +0,0 @@
1432 -diff -ur openssh-6.9p1.orig/sshconnect2.c openssh-6.9p1/sshconnect2.c
1433 ---- openssh-6.9p1.orig/sshconnect2.c 2015-07-01 14:56:26.766316866 -0700
1434 -+++ openssh-6.9p1/sshconnect2.c 2015-07-01 14:59:22.828692366 -0700
1435 -@@ -1404,7 +1404,7 @@
1436 - static int
1437 - get_allowed_keytype(Key *k) {
1438 - char *pattern;
1439 -- char *alg;
1440 -+ const char *alg;
1441 -
1442 - if (k->type == KEY_RSA1 || k->type == KEY_UNSPEC)
1443 - return KEY_UNSPEC;
1444 -diff -ur openssh-6.9p1.orig/x509_nm_cmp.c openssh-6.9p1/x509_nm_cmp.c
1445 ---- openssh-6.9p1.orig/x509_nm_cmp.c 2015-07-01 14:56:26.129311890 -0700
1446 -+++ openssh-6.9p1/x509_nm_cmp.c 2015-07-01 14:59:14.086624068 -0700
1447 -@@ -133,7 +133,7 @@
1448 - tag = M_ASN1_STRING_type(in);
1449 - if (tag != V_ASN1_UTF8STRING) {
1450 - /*OpenSSL method surprisingly require non-const(!?) ASN1_STRING!*/
1451 -- return(ASN1_STRING_to_UTF8(out, in));
1452 -+ return(ASN1_STRING_to_UTF8(out, (ASN1_STRING *) in));
1453 - }
1454 -
1455 - l = M_ASN1_STRING_length(in);
1456
1457 diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
1458 deleted file mode 100644
1459 index 28952b4..0000000
1460 --- a/net-misc/openssh/files/sshd.confd
1461 +++ /dev/null
1462 @@ -1,21 +0,0 @@
1463 -# /etc/conf.d/sshd: config file for /etc/init.d/sshd
1464 -
1465 -# Where is your sshd_config file stored?
1466 -
1467 -SSHD_CONFDIR="/etc/ssh"
1468 -
1469 -
1470 -# Any random options you want to pass to sshd.
1471 -# See the sshd(8) manpage for more info.
1472 -
1473 -SSHD_OPTS=""
1474 -
1475 -
1476 -# Pid file to use (needs to be absolute path).
1477 -
1478 -#SSHD_PIDFILE="/var/run/sshd.pid"
1479 -
1480 -
1481 -# Path to the sshd binary (needs to be absolute path).
1482 -
1483 -#SSHD_BINARY="/usr/sbin/sshd"
1484
1485 diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
1486 deleted file mode 100644
1487 index b801aaa..0000000
1488 --- a/net-misc/openssh/files/sshd.pam_include.2
1489 +++ /dev/null
1490 @@ -1,4 +0,0 @@
1491 -auth include system-remote-login
1492 -account include system-remote-login
1493 -password include system-remote-login
1494 -session include system-remote-login
1495
1496 diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4
1497 deleted file mode 100755
1498 index 80f1b7e..0000000
1499 --- a/net-misc/openssh/files/sshd.rc6.4
1500 +++ /dev/null
1501 @@ -1,85 +0,0 @@
1502 -#!/sbin/runscript
1503 -# Copyright 1999-2015 Gentoo Foundation
1504 -# Distributed under the terms of the GNU General Public License v2
1505 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.4,v 1.5 2015/05/04 02:56:25 vapier Exp $
1506 -
1507 -extra_commands="checkconfig"
1508 -extra_started_commands="reload"
1509 -
1510 -: ${SSHD_CONFDIR:=/etc/ssh}
1511 -: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
1512 -: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid}
1513 -: ${SSHD_BINARY:=/usr/sbin/sshd}
1514 -
1515 -depend() {
1516 - use logger dns
1517 - if [ "${rc_need+set}" = "set" ] ; then
1518 - : # Do nothing, the user has explicitly set rc_need
1519 - else
1520 - local x warn_addr
1521 - for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
1522 - case "${x}" in
1523 - 0.0.0.0|0.0.0.0:*) ;;
1524 - ::|\[::\]*) ;;
1525 - *) warn_addr="${warn_addr} ${x}" ;;
1526 - esac
1527 - done
1528 - if [ -n "${warn_addr}" ] ; then
1529 - need net
1530 - ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
1531 - ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
1532 - ewarn "where FOO is the interface(s) providing the following address(es):"
1533 - ewarn "${warn_addr}"
1534 - fi
1535 - fi
1536 -}
1537 -
1538 -checkconfig() {
1539 - if [ ! -d /var/empty ] ; then
1540 - mkdir -p /var/empty || return 1
1541 - fi
1542 -
1543 - if [ ! -e "${SSHD_CONFIG}" ] ; then
1544 - eerror "You need an ${SSHD_CONFIG} file to run sshd"
1545 - eerror "There is a sample file in /usr/share/doc/openssh"
1546 - return 1
1547 - fi
1548 -
1549 - ssh-keygen -A || return 1
1550 -
1551 - [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
1552 - && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
1553 - [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \
1554 - && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}"
1555 -
1556 - "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
1557 -}
1558 -
1559 -start() {
1560 - checkconfig || return 1
1561 -
1562 - ebegin "Starting ${SVCNAME}"
1563 - start-stop-daemon --start --exec "${SSHD_BINARY}" \
1564 - --pidfile "${SSHD_PIDFILE}" \
1565 - -- ${SSHD_OPTS}
1566 - eend $?
1567 -}
1568 -
1569 -stop() {
1570 - if [ "${RC_CMD}" = "restart" ] ; then
1571 - checkconfig || return 1
1572 - fi
1573 -
1574 - ebegin "Stopping ${SVCNAME}"
1575 - start-stop-daemon --stop --exec "${SSHD_BINARY}" \
1576 - --pidfile "${SSHD_PIDFILE}" --quiet
1577 - eend $?
1578 -}
1579 -
1580 -reload() {
1581 - checkconfig || return 1
1582 - ebegin "Reloading ${SVCNAME}"
1583 - start-stop-daemon --signal HUP \
1584 - --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
1585 - eend $?
1586 -}
1587
1588 diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service
1589 deleted file mode 100644
1590 index b5e96b3..0000000
1591 --- a/net-misc/openssh/files/sshd.service
1592 +++ /dev/null
1593 @@ -1,11 +0,0 @@
1594 -[Unit]
1595 -Description=OpenSSH server daemon
1596 -After=syslog.target network.target auditd.service
1597 -
1598 -[Service]
1599 -ExecStartPre=/usr/bin/ssh-keygen -A
1600 -ExecStart=/usr/sbin/sshd -D -e
1601 -ExecReload=/bin/kill -HUP $MAINPID
1602 -
1603 -[Install]
1604 -WantedBy=multi-user.target
1605
1606 diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
1607 deleted file mode 100644
1608 index 94b9533..0000000
1609 --- a/net-misc/openssh/files/sshd.socket
1610 +++ /dev/null
1611 @@ -1,10 +0,0 @@
1612 -[Unit]
1613 -Description=OpenSSH Server Socket
1614 -Conflicts=sshd.service
1615 -
1616 -[Socket]
1617 -ListenStream=22
1618 -Accept=yes
1619 -
1620 -[Install]
1621 -WantedBy=sockets.target
1622
1623 diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service
1624 deleted file mode 100644
1625 index 2645ad0..0000000
1626 --- a/net-misc/openssh/files/sshd_at.service
1627 +++ /dev/null
1628 @@ -1,8 +0,0 @@
1629 -[Unit]
1630 -Description=OpenSSH per-connection server daemon
1631 -After=syslog.target auditd.service
1632 -
1633 -[Service]
1634 -ExecStart=-/usr/sbin/sshd -i -e
1635 -StandardInput=socket
1636 -StandardError=syslog
1637
1638 diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
1639 deleted file mode 100644
1640 index 29134fc..0000000
1641 --- a/net-misc/openssh/metadata.xml
1642 +++ /dev/null
1643 @@ -1,40 +0,0 @@
1644 -<?xml version="1.0" encoding="UTF-8"?>
1645 -<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
1646 -<pkgmetadata>
1647 - <maintainer type="project">
1648 - <email>base-system@g.o</email>
1649 - <name>Gentoo Base System</name>
1650 - </maintainer>
1651 - <maintainer type="person">
1652 - <email>robbat2@g.o</email>
1653 - <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
1654 - </maintainer>
1655 - <longdescription>
1656 -OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
1657 -increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
1658 -rlogin, ftp, and other such programs might not realize that their password is transmitted
1659 -across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
1660 -to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
1661 -Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
1662 -of authentication methods.
1663 -
1664 -The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
1665 -replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
1666 -the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
1667 -ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
1668 -</longdescription>
1669 - <use>
1670 - <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
1671 - <flag name="hpn">Enable high performance ssh</flag>
1672 - <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
1673 - <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
1674 - <flag name="livecd">Enable root password logins for live-cd environment.</flag>
1675 - <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
1676 - <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
1677 - <flag name="X509">Adds support for X.509 certificate authentication</flag>
1678 - </use>
1679 - <upstream>
1680 - <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
1681 - <remote-id type="sourceforge">hpnssh</remote-id>
1682 - </upstream>
1683 -</pkgmetadata>
1684
1685 diff --git a/net-misc/openssh/openssh-6.8_p1-r5.ebuild b/net-misc/openssh/openssh-6.8_p1-r5.ebuild
1686 deleted file mode 100644
1687 index 86b6a01..0000000
1688 --- a/net-misc/openssh/openssh-6.8_p1-r5.ebuild
1689 +++ /dev/null
1690 @@ -1,336 +0,0 @@
1691 -# Copyright 1999-2015 Gentoo Foundation
1692 -# Distributed under the terms of the GNU General Public License v2
1693 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.8_p1-r5.ebuild,v 1.1 2015/04/28 04:39:35 vapier Exp $
1694 -
1695 -EAPI="4"
1696 -inherit eutils user flag-o-matic multilib autotools pam systemd versionator
1697 -
1698 -# Make it more portable between straight releases
1699 -# and _p? releases.
1700 -PARCH=${P/_}
1701 -
1702 -HPN_PATCH="${PN}-6.8p1-r5-hpnssh14v5.tar.xz"
1703 -LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
1704 -X509_VER="8.3.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
1705 -
1706 -DESCRIPTION="Port of OpenBSD's free SSH release"
1707 -HOMEPAGE="http://www.openssh.org/"
1708 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
1709 - mirror://gentoo/${P}-sctp.patch.xz
1710 - ${HPN_PATCH:+hpn? (
1711 - mirror://gentoo/${HPN_PATCH}
1712 - http://dev.gentoo.org/~vapier/dist/${HPN_PATCH}
1713 - mirror://sourceforge/hpnssh/${HPN_PATCH}
1714 - )}
1715 - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
1716 - ${X509_PATCH:+X509? (
1717 - http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
1718 - mirror://gentoo/${P}-x509-${X509_VER}-glue.patch.xz
1719 - )}
1720 - "
1721 -
1722 -LICENSE="BSD GPL-2"
1723 -SLOT="0"
1724 -KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
1725 -# Probably want to drop ssh1/ssl defaulting to on in a future version.
1726 -IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey +ssh1 +ssl static X X509"
1727 -REQUIRED_USE="pie? ( !static )
1728 - ssh1? ( ssl )
1729 - static? ( !kerberos !pam )
1730 - X509? ( !ldap ssl )"
1731 -
1732 -LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
1733 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
1734 - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
1735 - libedit? ( dev-libs/libedit[static-libs(+)] )
1736 - ssl? (
1737 - >=dev-libs/openssl-0.9.6d:0[bindist=]
1738 - dev-libs/openssl[static-libs(+)]
1739 - )
1740 - >=sys-libs/zlib-1.2.3[static-libs(+)]"
1741 -RDEPEND="
1742 - !static? (
1743 - ${LIB_DEPEND//\[static-libs(+)]}
1744 - ldns? (
1745 - !bindist? ( net-libs/ldns[ecdsa,ssl] )
1746 - bindist? ( net-libs/ldns[-ecdsa,ssl] )
1747 - )
1748 - )
1749 - pam? ( virtual/pam )
1750 - kerberos? ( virtual/krb5 )
1751 - ldap? ( net-nds/openldap )"
1752 -DEPEND="${RDEPEND}
1753 - static? (
1754 - ${LIB_DEPEND}
1755 - ldns? (
1756 - !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
1757 - bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
1758 - )
1759 - )
1760 - virtual/pkgconfig
1761 - virtual/os-headers
1762 - sys-devel/autoconf"
1763 -RDEPEND="${RDEPEND}
1764 - pam? ( >=sys-auth/pambase-20081028 )
1765 - userland_GNU? ( virtual/shadow )
1766 - X? ( x11-apps/xauth )"
1767 -
1768 -S=${WORKDIR}/${PARCH}
1769 -
1770 -pkg_setup() {
1771 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
1772 - # than not be able to log in to their server any more
1773 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1774 - local fail="
1775 - $(use X509 && maybe_fail X509 X509_PATCH)
1776 - $(use ldap && maybe_fail ldap LDAP_PATCH)
1777 - $(use hpn && maybe_fail hpn HPN_PATCH)
1778 - "
1779 - fail=$(echo ${fail})
1780 - if [[ -n ${fail} ]] ; then
1781 - eerror "Sorry, but this version does not yet support features"
1782 - eerror "that you requested: ${fail}"
1783 - eerror "Please mask ${PF} for now and check back later:"
1784 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1785 - die "booooo"
1786 - fi
1787 -
1788 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
1789 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
1790 - eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1791 - eerror "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
1792 - die "USE=tcpd no longer works"
1793 - fi
1794 -}
1795 -
1796 -save_version() {
1797 - # version.h patch conflict avoidence
1798 - mv version.h version.h.$1
1799 - cp -f version.h.pristine version.h
1800 -}
1801 -
1802 -src_prepare() {
1803 - sed -i \
1804 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
1805 - pathnames.h || die
1806 - # keep this as we need it to avoid the conflict between LPK and HPN changing
1807 - # this file.
1808 - cp version.h version.h.pristine
1809 -
1810 - # don't break .ssh/authorized_keys2 for fun
1811 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1812 -
1813 - epatch "${FILESDIR}"/${PN}-6.8_p1-sshd-gssapi-multihomed.patch #378361
1814 - if use X509 ; then
1815 - pushd .. >/dev/null
1816 - epatch "${WORKDIR}"/${P}-x509-${X509_VER}-glue.patch
1817 - epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch
1818 - popd >/dev/null
1819 - epatch "${WORKDIR}"/${X509_PATCH%.*}
1820 - epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
1821 - save_version X509
1822 - fi
1823 - if use ldap ; then
1824 - epatch "${WORKDIR}"/${LDAP_PATCH%.*}
1825 - save_version LPK
1826 - fi
1827 - epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1828 - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1829 - epatch "${FILESDIR}"/${PN}-6.8_p1-ssh-keygen-no-ssh1.patch #544078
1830 - epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm.patch #547944
1831 - # The X509 patchset fixes this independently.
1832 - use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
1833 - epatch "${WORKDIR}"/${P}-sctp.patch
1834 - if use hpn ; then
1835 - # The teraterm patch pulled in an upstream update.
1836 - pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
1837 - epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm-hpn-glue.patch
1838 - popd >/dev/null
1839 - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
1840 - EPATCH_MULTI_MSG="Applying HPN patchset ..." \
1841 - epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
1842 - save_version HPN
1843 - fi
1844 -
1845 - tc-export PKG_CONFIG
1846 - local sed_args=(
1847 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1848 - # Disable PATH reset, trust what portage gives us #254615
1849 - -e 's:^PATH=/:#PATH=/:'
1850 - # Disable fortify flags ... our gcc does this for us
1851 - -e 's:-D_FORTIFY_SOURCE=2::'
1852 - )
1853 - # The -ftrapv flag ICEs on hppa #505182
1854 - use hppa && sed_args+=(
1855 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1856 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1857 - )
1858 - sed -i "${sed_args[@]}" configure{.ac,} || die
1859 -
1860 - sed -i -e 's/-m 4711/-m 0711/' "${S}"/Makefile.in || die
1861 -
1862 - epatch_user #473004
1863 -
1864 - # Now we can build a sane merged version.h
1865 - (
1866 - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
1867 - macros=()
1868 - for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
1869 - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
1870 - ) > version.h
1871 -
1872 - eautoreconf
1873 -}
1874 -
1875 -src_configure() {
1876 - addwrite /dev/ptmx
1877 - addpredict /etc/skey/skeykeys # skey configure code triggers this
1878 -
1879 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1880 - use static && append-ldflags -static
1881 -
1882 - local myconf=(
1883 - --with-ldflags="${LDFLAGS}"
1884 - --disable-strip
1885 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1886 - --sysconfdir="${EPREFIX}"/etc/ssh
1887 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
1888 - --datadir="${EPREFIX}"/usr/share/openssh
1889 - --with-privsep-path="${EPREFIX}"/var/empty
1890 - --with-privsep-user=sshd
1891 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
1892 - # We apply the ldap patch conditionally, so can't pass --without-ldap
1893 - # unconditionally else we get unknown flag warnings.
1894 - $(use ldap && use_with ldap)
1895 - $(use_with ldns)
1896 - $(use_with libedit)
1897 - $(use_with pam)
1898 - $(use_with pie)
1899 - $(use_with sctp)
1900 - $(use_with selinux)
1901 - $(use_with skey)
1902 - $(use_with ssh1)
1903 - # The X509 patch deletes this option entirely.
1904 - $(use X509 || use_with ssl openssl)
1905 - $(use_with ssl md5-passwords)
1906 - $(use_with ssl ssl-engine)
1907 - )
1908 -
1909 - # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
1910 - if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
1911 - myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
1912 - append-ldflags -lutil
1913 - fi
1914 -
1915 - econf "${myconf[@]}"
1916 -}
1917 -
1918 -src_install() {
1919 - emake install-nokeys DESTDIR="${D}"
1920 - fperms 600 /etc/ssh/sshd_config
1921 - dobin contrib/ssh-copy-id
1922 - newinitd "${FILESDIR}"/sshd.rc6.4 sshd
1923 - newconfd "${FILESDIR}"/sshd.confd sshd
1924 - keepdir /var/empty
1925 -
1926 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
1927 - if use pam ; then
1928 - sed -i \
1929 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
1930 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
1931 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
1932 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
1933 - "${ED}"/etc/ssh/sshd_config || die
1934 - fi
1935 -
1936 - # Gentoo tweaks to default config files
1937 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
1938 -
1939 - # Allow client to pass locale environment variables #367017
1940 - AcceptEnv LANG LC_*
1941 - EOF
1942 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
1943 -
1944 - # Send locale environment variables #367017
1945 - SendEnv LANG LC_*
1946 - EOF
1947 -
1948 - # This instruction is from the HPN webpage,
1949 - # Used for the server logging functionality
1950 - if [[ -n ${HPN_PATCH} ]] && use hpn ; then
1951 - keepdir /var/empty/dev
1952 - fi
1953 -
1954 - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
1955 - insinto /etc/openldap/schema/
1956 - newins openssh-lpk_openldap.schema openssh-lpk.schema
1957 - fi
1958 -
1959 - doman contrib/ssh-copy-id.1
1960 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
1961 -
1962 - diropts -m 0700
1963 - dodir /etc/skel/.ssh
1964 -
1965 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
1966 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
1967 -}
1968 -
1969 -src_test() {
1970 - [[ $(id -u) = 0 ]] || return #335343
1971 - local t tests skipped failed passed shell
1972 - tests="interop-tests compat-tests"
1973 - skipped=""
1974 - shell=$(egetshell ${UID})
1975 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
1976 - elog "Running the full OpenSSH testsuite"
1977 - elog "requires a usable shell for the 'portage'"
1978 - elog "user, so we will run a subset only."
1979 - skipped="${skipped} tests"
1980 - else
1981 - tests="${tests} tests"
1982 - fi
1983 - # It will also attempt to write to the homedir .ssh
1984 - local sshhome=${T}/homedir
1985 - mkdir -p "${sshhome}"/.ssh
1986 - for t in ${tests} ; do
1987 - # Some tests read from stdin ...
1988 - HOMEDIR="${sshhome}" \
1989 - emake -k -j1 ${t} </dev/null \
1990 - && passed="${passed}${t} " \
1991 - || failed="${failed}${t} "
1992 - done
1993 - einfo "Passed tests: ${passed}"
1994 - ewarn "Skipped tests: ${skipped}"
1995 - if [[ -n ${failed} ]] ; then
1996 - ewarn "Failed tests: ${failed}"
1997 - die "Some tests failed: ${failed}"
1998 - else
1999 - einfo "Failed tests: ${failed}"
2000 - return 0
2001 - fi
2002 -}
2003 -
2004 -pkg_preinst() {
2005 - enewgroup sshd 22
2006 - enewuser sshd 22 -1 /var/empty sshd
2007 - fperms 4711 /usr/$(get_libdir)/misc/ssh-keysign
2008 -}
2009 -
2010 -pkg_postinst() {
2011 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
2012 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2013 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2014 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2015 - fi
2016 - ewarn "Remember to merge your config files in /etc/ssh/ and then"
2017 - ewarn "reload sshd: '/etc/init.d/sshd reload'."
2018 - # This instruction is from the HPN webpage,
2019 - # Used for the server logging functionality
2020 - if [[ -n ${HPN_PATCH} ]] && use hpn ; then
2021 - einfo "For the HPN server logging patch, you must ensure that"
2022 - einfo "your syslog application also listens at /var/empty/dev/log."
2023 - fi
2024 - elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
2025 - elog " dropped it. Make sure to update any configs that you might have."
2026 -}
2027
2028 diff --git a/net-misc/openssh/openssh-6.9_p1-r2.ebuild b/net-misc/openssh/openssh-6.9_p1-r2.ebuild
2029 deleted file mode 100644
2030 index 2cbcfa5..0000000
2031 --- a/net-misc/openssh/openssh-6.9_p1-r2.ebuild
2032 +++ /dev/null
2033 @@ -1,315 +0,0 @@
2034 -# Copyright 1999-2015 Gentoo Foundation
2035 -# Distributed under the terms of the GNU General Public License v2
2036 -# $Id$
2037 -
2038 -EAPI="4"
2039 -inherit eutils user flag-o-matic multilib autotools pam systemd versionator
2040 -
2041 -# Make it more portable between straight releases
2042 -# and _p? releases.
2043 -PARCH=${P/_}
2044 -
2045 -HPN_PATCH="${PN}-6.9p1-r1-hpnssh14v5.tar.xz"
2046 -LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
2047 -X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz"
2048 -
2049 -DESCRIPTION="Port of OpenBSD's free SSH release"
2050 -HOMEPAGE="http://www.openssh.org/"
2051 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2052 - mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
2053 - ${HPN_PATCH:+hpn? (
2054 - mirror://gentoo/${HPN_PATCH}
2055 - https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
2056 - mirror://sourceforge/hpnssh/${HPN_PATCH}
2057 - )}
2058 - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
2059 - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
2060 - "
2061 -
2062 -LICENSE="BSD GPL-2"
2063 -SLOT="0"
2064 -KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2065 -# Probably want to drop ssl defaulting to on in a future version.
2066 -IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
2067 -REQUIRED_USE="ldns? ( ssl )
2068 - pie? ( !static )
2069 - ssh1? ( ssl )
2070 - static? ( !kerberos !pam )
2071 - X509? ( !ldap ssl )"
2072 -
2073 -LIB_DEPEND="
2074 - ldns? (
2075 - net-libs/ldns[static-libs(+)]
2076 - !bindist? ( net-libs/ldns[ecdsa,ssl] )
2077 - bindist? ( net-libs/ldns[-ecdsa,ssl] )
2078 - )
2079 - libedit? ( dev-libs/libedit[static-libs(+)] )
2080 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2081 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2082 - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
2083 - ssl? (
2084 - >=dev-libs/openssl-0.9.8f:0[bindist=]
2085 - dev-libs/openssl:0[static-libs(+)]
2086 - )
2087 - >=sys-libs/zlib-1.2.3[static-libs(+)]"
2088 -RDEPEND="
2089 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2090 - pam? ( virtual/pam )
2091 - kerberos? ( virtual/krb5 )
2092 - ldap? ( net-nds/openldap )"
2093 -DEPEND="${RDEPEND}
2094 - static? ( ${LIB_DEPEND} )
2095 - virtual/pkgconfig
2096 - virtual/os-headers
2097 - sys-devel/autoconf"
2098 -RDEPEND="${RDEPEND}
2099 - pam? ( >=sys-auth/pambase-20081028 )
2100 - userland_GNU? ( virtual/shadow )
2101 - X? ( x11-apps/xauth )"
2102 -
2103 -S=${WORKDIR}/${PARCH}
2104 -
2105 -pkg_setup() {
2106 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
2107 - # than not be able to log in to their server any more
2108 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2109 - local fail="
2110 - $(use X509 && maybe_fail X509 X509_PATCH)
2111 - $(use ldap && maybe_fail ldap LDAP_PATCH)
2112 - $(use hpn && maybe_fail hpn HPN_PATCH)
2113 - "
2114 - fail=$(echo ${fail})
2115 - if [[ -n ${fail} ]] ; then
2116 - eerror "Sorry, but this version does not yet support features"
2117 - eerror "that you requested: ${fail}"
2118 - eerror "Please mask ${PF} for now and check back later:"
2119 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2120 - die "booooo"
2121 - fi
2122 -
2123 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
2124 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
2125 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2126 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
2127 - fi
2128 -}
2129 -
2130 -save_version() {
2131 - # version.h patch conflict avoidence
2132 - mv version.h version.h.$1
2133 - cp -f version.h.pristine version.h
2134 -}
2135 -
2136 -src_prepare() {
2137 - sed -i \
2138 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
2139 - pathnames.h || die
2140 - # keep this as we need it to avoid the conflict between LPK and HPN changing
2141 - # this file.
2142 - cp version.h version.h.pristine
2143 -
2144 - # don't break .ssh/authorized_keys2 for fun
2145 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2146 -
2147 - if use X509 ; then
2148 - pushd .. >/dev/null
2149 - #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
2150 - epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch
2151 - popd >/dev/null
2152 - epatch "${WORKDIR}"/${X509_PATCH%.*}
2153 - epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
2154 - epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
2155 - save_version X509
2156 - fi
2157 - if use ldap ; then
2158 - epatch "${WORKDIR}"/${LDAP_PATCH%.*}
2159 - save_version LPK
2160 - fi
2161 - epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2162 - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2163 - # The X509 patchset fixes this independently.
2164 - use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
2165 - epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
2166 - if use hpn ; then
2167 - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
2168 - EPATCH_MULTI_MSG="Applying HPN patchset ..." \
2169 - epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
2170 - save_version HPN
2171 - fi
2172 -
2173 - tc-export PKG_CONFIG
2174 - local sed_args=(
2175 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
2176 - # Disable PATH reset, trust what portage gives us #254615
2177 - -e 's:^PATH=/:#PATH=/:'
2178 - # Disable fortify flags ... our gcc does this for us
2179 - -e 's:-D_FORTIFY_SOURCE=2::'
2180 - )
2181 - # The -ftrapv flag ICEs on hppa #505182
2182 - use hppa && sed_args+=(
2183 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
2184 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
2185 - )
2186 - sed -i "${sed_args[@]}" configure{.ac,} || die
2187 -
2188 - sed -i -e 's/-m 4711/-m 0711/' "${S}"/Makefile.in || die
2189 -
2190 - epatch_user #473004
2191 -
2192 - # Now we can build a sane merged version.h
2193 - (
2194 - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
2195 - macros=()
2196 - for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
2197 - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
2198 - ) > version.h
2199 -
2200 - eautoreconf
2201 -}
2202 -
2203 -src_configure() {
2204 - addwrite /dev/ptmx
2205 - addpredict /etc/skey/skeykeys # skey configure code triggers this
2206 -
2207 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
2208 - use static && append-ldflags -static
2209 -
2210 - local myconf=(
2211 - --with-ldflags="${LDFLAGS}"
2212 - --disable-strip
2213 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
2214 - --sysconfdir="${EPREFIX}"/etc/ssh
2215 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
2216 - --datadir="${EPREFIX}"/usr/share/openssh
2217 - --with-privsep-path="${EPREFIX}"/var/empty
2218 - --with-privsep-user=sshd
2219 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
2220 - # We apply the ldap patch conditionally, so can't pass --without-ldap
2221 - # unconditionally else we get unknown flag warnings.
2222 - $(use ldap && use_with ldap)
2223 - $(use_with ldns)
2224 - $(use_with libedit)
2225 - $(use_with pam)
2226 - $(use_with pie)
2227 - $(use_with sctp)
2228 - $(use_with selinux)
2229 - $(use_with skey)
2230 - $(use_with ssh1)
2231 - # The X509 patch deletes this option entirely.
2232 - $(use X509 || use_with ssl openssl)
2233 - $(use_with ssl md5-passwords)
2234 - $(use_with ssl ssl-engine)
2235 - )
2236 -
2237 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2238 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2239 -
2240 - # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
2241 - if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
2242 - myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
2243 - append-ldflags -lutil
2244 - fi
2245 -
2246 - econf "${myconf[@]}"
2247 -}
2248 -
2249 -src_install() {
2250 - emake install-nokeys DESTDIR="${D}"
2251 - fperms 600 /etc/ssh/sshd_config
2252 - dobin contrib/ssh-copy-id
2253 - newinitd "${FILESDIR}"/sshd.rc6.4 sshd
2254 - newconfd "${FILESDIR}"/sshd.confd sshd
2255 - keepdir /var/empty
2256 -
2257 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
2258 - if use pam ; then
2259 - sed -i \
2260 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
2261 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
2262 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
2263 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
2264 - "${ED}"/etc/ssh/sshd_config || die
2265 - fi
2266 -
2267 - # Gentoo tweaks to default config files
2268 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
2269 -
2270 - # Allow client to pass locale environment variables #367017
2271 - AcceptEnv LANG LC_*
2272 - EOF
2273 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
2274 -
2275 - # Send locale environment variables #367017
2276 - SendEnv LANG LC_*
2277 - EOF
2278 -
2279 - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
2280 - insinto /etc/openldap/schema/
2281 - newins openssh-lpk_openldap.schema openssh-lpk.schema
2282 - fi
2283 -
2284 - doman contrib/ssh-copy-id.1
2285 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
2286 -
2287 - diropts -m 0700
2288 - dodir /etc/skel/.ssh
2289 -
2290 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2291 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2292 -}
2293 -
2294 -src_test() {
2295 - [[ $(id -u) = 0 ]] || return #335343
2296 - local t tests skipped failed passed shell
2297 - tests="interop-tests compat-tests"
2298 - skipped=""
2299 - shell=$(egetshell ${UID})
2300 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2301 - elog "Running the full OpenSSH testsuite"
2302 - elog "requires a usable shell for the 'portage'"
2303 - elog "user, so we will run a subset only."
2304 - skipped="${skipped} tests"
2305 - else
2306 - tests="${tests} tests"
2307 - fi
2308 - # It will also attempt to write to the homedir .ssh
2309 - local sshhome=${T}/homedir
2310 - mkdir -p "${sshhome}"/.ssh
2311 - for t in ${tests} ; do
2312 - # Some tests read from stdin ...
2313 - HOMEDIR="${sshhome}" \
2314 - emake -k -j1 ${t} </dev/null \
2315 - && passed="${passed}${t} " \
2316 - || failed="${failed}${t} "
2317 - done
2318 - einfo "Passed tests: ${passed}"
2319 - ewarn "Skipped tests: ${skipped}"
2320 - if [[ -n ${failed} ]] ; then
2321 - ewarn "Failed tests: ${failed}"
2322 - die "Some tests failed: ${failed}"
2323 - else
2324 - einfo "Failed tests: ${failed}"
2325 - return 0
2326 - fi
2327 -}
2328 -
2329 -pkg_preinst() {
2330 - enewgroup sshd 22
2331 - enewuser sshd 22 -1 /var/empty sshd
2332 - fperms 4711 /usr/$(get_libdir)/misc/ssh-keysign
2333 -}
2334 -
2335 -pkg_postinst() {
2336 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
2337 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2338 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2339 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2340 - fi
2341 - if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
2342 - elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
2343 - fi
2344 - ewarn "Remember to merge your config files in /etc/ssh/ and then"
2345 - ewarn "reload sshd: '/etc/init.d/sshd reload'."
2346 - elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
2347 - elog " dropped it. Make sure to update any configs that you might have."
2348 -}
2349
2350 diff --git a/net-misc/openssh/openssh-7.1_p2-r1.ebuild b/net-misc/openssh/openssh-7.1_p2-r1.ebuild
2351 deleted file mode 100644
2352 index d17c953..0000000
2353 --- a/net-misc/openssh/openssh-7.1_p2-r1.ebuild
2354 +++ /dev/null
2355 @@ -1,327 +0,0 @@
2356 -# Copyright 1999-2016 Gentoo Foundation
2357 -# Distributed under the terms of the GNU General Public License v2
2358 -# $Id$
2359 -
2360 -EAPI="5"
2361 -
2362 -inherit eutils user flag-o-matic multilib autotools pam systemd versionator
2363 -
2364 -# Make it more portable between straight releases
2365 -# and _p? releases.
2366 -PARCH=${P/_}
2367 -
2368 -HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
2369 -LDAP_PATCH="${PN}-lpk-7.1p2-0.3.14.patch.xz"
2370 -X509_VER="8.7" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
2371 -
2372 -DESCRIPTION="Port of OpenBSD's free SSH release"
2373 -HOMEPAGE="http://www.openssh.org/"
2374 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2375 - mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
2376 - ${HPN_PATCH:+hpn? (
2377 - mirror://gentoo/${HPN_PATCH}
2378 - mirror://sourceforge/hpnssh/${HPN_PATCH}
2379 - )}
2380 - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
2381 - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
2382 - "
2383 -
2384 -LICENSE="BSD GPL-2"
2385 -SLOT="0"
2386 -KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2387 -# Probably want to drop ssl defaulting to on in a future version.
2388 -IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
2389 -REQUIRED_USE="ldns? ( ssl )
2390 - pie? ( !static )
2391 - ssh1? ( ssl )
2392 - static? ( !kerberos !pam )
2393 - X509? ( !ldap ssl )"
2394 -
2395 -LIB_DEPEND="
2396 - ldns? (
2397 - net-libs/ldns[static-libs(+)]
2398 - !bindist? ( net-libs/ldns[ecdsa,ssl] )
2399 - bindist? ( net-libs/ldns[-ecdsa,ssl] )
2400 - )
2401 - libedit? ( dev-libs/libedit[static-libs(+)] )
2402 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2403 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2404 - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
2405 - ssl? (
2406 - !libressl? (
2407 - >=dev-libs/openssl-0.9.8f:0[bindist=]
2408 - dev-libs/openssl:0[static-libs(+)]
2409 - )
2410 - libressl? ( dev-libs/libressl[static-libs(+)] )
2411 - )
2412 - >=sys-libs/zlib-1.2.3[static-libs(+)]"
2413 -RDEPEND="
2414 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2415 - pam? ( virtual/pam )
2416 - kerberos? ( virtual/krb5 )
2417 - ldap? ( net-nds/openldap )"
2418 -DEPEND="${RDEPEND}
2419 - static? ( ${LIB_DEPEND} )
2420 - virtual/pkgconfig
2421 - virtual/os-headers
2422 - sys-devel/autoconf"
2423 -RDEPEND="${RDEPEND}
2424 - pam? ( >=sys-auth/pambase-20081028 )
2425 - userland_GNU? ( virtual/shadow )
2426 - X? ( x11-apps/xauth )"
2427 -
2428 -S=${WORKDIR}/${PARCH}
2429 -
2430 -pkg_setup() {
2431 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
2432 - # than not be able to log in to their server any more
2433 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2434 - local fail="
2435 - $(use X509 && maybe_fail X509 X509_PATCH)
2436 - $(use ldap && maybe_fail ldap LDAP_PATCH)
2437 - $(use hpn && maybe_fail hpn HPN_PATCH)
2438 - "
2439 - fail=$(echo ${fail})
2440 - if [[ -n ${fail} ]] ; then
2441 - eerror "Sorry, but this version does not yet support features"
2442 - eerror "that you requested: ${fail}"
2443 - eerror "Please mask ${PF} for now and check back later:"
2444 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2445 - die "booooo"
2446 - fi
2447 -
2448 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
2449 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
2450 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2451 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
2452 - fi
2453 -}
2454 -
2455 -save_version() {
2456 - # version.h patch conflict avoidence
2457 - mv version.h version.h.$1
2458 - cp -f version.h.pristine version.h
2459 -}
2460 -
2461 -src_prepare() {
2462 - sed -i \
2463 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
2464 - pathnames.h || die
2465 - # keep this as we need it to avoid the conflict between LPK and HPN changing
2466 - # this file.
2467 - cp version.h version.h.pristine
2468 -
2469 - # don't break .ssh/authorized_keys2 for fun
2470 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2471 -
2472 - if use X509 ; then
2473 - pushd .. >/dev/null
2474 - if use hpn ; then
2475 - pushd ${HPN_PATCH%.*.*} >/dev/null
2476 - epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
2477 - popd >/dev/null
2478 - fi
2479 - epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
2480 - popd >/dev/null
2481 - epatch "${WORKDIR}"/${X509_PATCH%.*}
2482 - epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
2483 - save_version X509
2484 - fi
2485 - if use ldap ; then
2486 - epatch "${WORKDIR}"/${LDAP_PATCH%.*}
2487 - save_version LPK
2488 - fi
2489 - epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2490 - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2491 - # The X509 patchset fixes this independently.
2492 - use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
2493 - epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
2494 - if use hpn ; then
2495 - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
2496 - EPATCH_MULTI_MSG="Applying HPN patchset ..." \
2497 - epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
2498 - save_version HPN
2499 - fi
2500 -
2501 - tc-export PKG_CONFIG
2502 - local sed_args=(
2503 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
2504 - # Disable PATH reset, trust what portage gives us #254615
2505 - -e 's:^PATH=/:#PATH=/:'
2506 - # Disable fortify flags ... our gcc does this for us
2507 - -e 's:-D_FORTIFY_SOURCE=2::'
2508 - )
2509 - # The -ftrapv flag ICEs on hppa #505182
2510 - use hppa && sed_args+=(
2511 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
2512 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
2513 - )
2514 - sed -i "${sed_args[@]}" configure{.ac,} || die
2515 -
2516 - epatch_user #473004
2517 -
2518 - # Now we can build a sane merged version.h
2519 - (
2520 - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
2521 - macros=()
2522 - for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
2523 - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
2524 - ) > version.h
2525 -
2526 - eautoreconf
2527 -}
2528 -
2529 -src_configure() {
2530 - addwrite /dev/ptmx
2531 -
2532 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
2533 - use static && append-ldflags -static
2534 -
2535 - local myconf=(
2536 - --with-ldflags="${LDFLAGS}"
2537 - --disable-strip
2538 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
2539 - --sysconfdir="${EPREFIX}"/etc/ssh
2540 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
2541 - --datadir="${EPREFIX}"/usr/share/openssh
2542 - --with-privsep-path="${EPREFIX}"/var/empty
2543 - --with-privsep-user=sshd
2544 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
2545 - # We apply the ldap patch conditionally, so can't pass --without-ldap
2546 - # unconditionally else we get unknown flag warnings.
2547 - $(use ldap && use_with ldap)
2548 - $(use_with ldns)
2549 - $(use_with libedit)
2550 - $(use_with pam)
2551 - $(use_with pie)
2552 - $(use_with sctp)
2553 - $(use_with selinux)
2554 - $(use_with skey)
2555 - $(use_with ssh1)
2556 - $(use_with ssl openssl)
2557 - $(use_with ssl md5-passwords)
2558 - $(use_with ssl ssl-engine)
2559 - )
2560 -
2561 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2562 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2563 -
2564 - econf "${myconf[@]}"
2565 -}
2566 -
2567 -src_install() {
2568 - emake install-nokeys DESTDIR="${D}"
2569 - fperms 600 /etc/ssh/sshd_config
2570 - dobin contrib/ssh-copy-id
2571 - newinitd "${FILESDIR}"/sshd.rc6.4 sshd
2572 - newconfd "${FILESDIR}"/sshd.confd sshd
2573 - keepdir /var/empty
2574 -
2575 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
2576 - if use pam ; then
2577 - sed -i \
2578 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
2579 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
2580 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
2581 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
2582 - "${ED}"/etc/ssh/sshd_config || die
2583 - fi
2584 -
2585 - # Gentoo tweaks to default config files
2586 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
2587 -
2588 - # Allow client to pass locale environment variables #367017
2589 - AcceptEnv LANG LC_*
2590 - EOF
2591 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
2592 -
2593 - # Send locale environment variables #367017
2594 - SendEnv LANG LC_*
2595 - EOF
2596 -
2597 - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
2598 - insinto /etc/openldap/schema/
2599 - newins openssh-lpk_openldap.schema openssh-lpk.schema
2600 - fi
2601 -
2602 - doman contrib/ssh-copy-id.1
2603 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
2604 -
2605 - diropts -m 0700
2606 - dodir /etc/skel/.ssh
2607 -
2608 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2609 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2610 -}
2611 -
2612 -src_test() {
2613 - [[ $(id -u) = 0 ]] || return #335343
2614 - local t tests skipped failed passed shell
2615 - tests="interop-tests compat-tests"
2616 - skipped=""
2617 - shell=$(egetshell ${UID})
2618 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2619 - elog "Running the full OpenSSH testsuite"
2620 - elog "requires a usable shell for the 'portage'"
2621 - elog "user, so we will run a subset only."
2622 - skipped="${skipped} tests"
2623 - else
2624 - tests="${tests} tests"
2625 - fi
2626 - # It will also attempt to write to the homedir .ssh
2627 - local sshhome=${T}/homedir
2628 - mkdir -p "${sshhome}"/.ssh
2629 - for t in ${tests} ; do
2630 - # Some tests read from stdin ...
2631 - HOMEDIR="${sshhome}" \
2632 - emake -k -j1 ${t} </dev/null \
2633 - && passed="${passed}${t} " \
2634 - || failed="${failed}${t} "
2635 - done
2636 - einfo "Passed tests: ${passed}"
2637 - ewarn "Skipped tests: ${skipped}"
2638 - if [[ -n ${failed} ]] ; then
2639 - ewarn "Failed tests: ${failed}"
2640 - die "Some tests failed: ${failed}"
2641 - else
2642 - einfo "Failed tests: ${failed}"
2643 - return 0
2644 - fi
2645 -}
2646 -
2647 -pkg_preinst() {
2648 - enewgroup sshd 22
2649 - enewuser sshd 22 -1 /var/empty sshd
2650 -}
2651 -
2652 -pkg_postinst() {
2653 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
2654 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2655 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2656 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2657 - fi
2658 - if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
2659 - elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
2660 - fi
2661 - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
2662 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
2663 - elog "Make sure to update any configs that you might have. Note that xinetd might"
2664 - elog "be an alternative for you as it supports USE=tcpd."
2665 - fi
2666 - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
2667 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
2668 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
2669 - elog "adding to your sshd_config or ~/.ssh/config files:"
2670 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
2671 - elog "You should however generate new keys using rsa or ed25519."
2672 -
2673 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
2674 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
2675 - elog "out of the box. If you need this, please update your sshd_config explicitly."
2676 - fi
2677 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
2678 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
2679 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
2680 - elog "and update all clients/servers that utilize them."
2681 - fi
2682 -}
Report Message
Find on MARC Find on Google Groups