9 files changed, 45 insertions, 93 deletions

diff --git a/security/hpn-ssh/Makefile b/security/hpn-ssh/Makefile
index 9bb3895c0126..18deb825215c 100644
--- a/security/hpn-ssh/Makefile
+++ b/security/hpn-ssh/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	openssh
-PORTVERSION=	3.3p1
-PORTREVISION=	5
+PORTVERSION=	3.4p1
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
 		ftp://ftp.op.net/pub/OpenBSD/OpenSSH/portable/ \
diff --git a/security/hpn-ssh/distinfo b/security/hpn-ssh/distinfo
index 703e5bc95311..97f2233a74a4 100644
--- a/security/hpn-ssh/distinfo
+++ b/security/hpn-ssh/distinfo
@@ -1,2 +1 @@
-MD5 (openssh-3.3p1.tar.gz) = 226fdde5498c56288e777c7a697996e0
-MD5 (openssh-3.2.3p1-gssapi-20020527.diff) = 27f170956f607b951ffda48da588b00a
+MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 9bb3895c0126..18deb825215c 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	openssh
-PORTVERSION=	3.3p1
-PORTREVISION=	5
+PORTVERSION=	3.4p1
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
 		ftp://ftp.op.net/pub/OpenBSD/OpenSSH/portable/ \
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 703e5bc95311..97f2233a74a4 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,2 +1 @@
-MD5 (openssh-3.3p1.tar.gz) = 226fdde5498c56288e777c7a697996e0
-MD5 (openssh-3.2.3p1-gssapi-20020527.diff) = 27f170956f607b951ffda48da588b00a
+MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 59b89f77f19f..96bed6193406 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	openssh
-PORTVERSION=	3.3
-PORTREVISION=	5
+PORTVERSION=	3.4
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \
 		ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 4d4f78bceeb7..73b6801ed2f7 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,2 +1,2 @@
-MD5 (openssh-3.3.tgz) = f75f98b8c901c07f38710959da94a73b
-MD5 (openbsd28_3.3.patch) = d3cf2655df4a0b9d0624d1e5893c4324
+MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
+MD5 (openbsd28_3.4.patch) = 46cfc2332b357e338e421dd456435a65
diff --git a/security/openssh/files/patch-auth1.c b/security/openssh/files/patch-auth1.c
index aa1b085f3beb..ce0593315499 100644
--- a/security/openssh/files/patch-auth1.c
+++ b/security/openssh/files/patch-auth1.c
@@ -1,5 +1,5 @@
 --- auth1.c.orig	Wed Jun 19 02:27:55 2002
-+++ auth1.c	Mon Jun 24 23:54:35 2002
++++ auth1.c	Wed Jun 26 18:05:48 2002
 @@ -27,6 +27,15 @@
  #include "uidswap.h"
  #include "monitor_wrap.h"
@@ -153,17 +153,15 @@
  #ifdef BSD_AUTH
  		if (authctxt->as) {
  			auth_close(authctxt->as);
-@@ -299,9 +394,24 @@
+@@ -299,9 +394,23 @@
  		    !auth_root_allowed(get_authname(type)))
  			authenticated = 0;
  
--		/* Log before sending the reply */
 +		if (pw != NULL && pw->pw_uid == 0)
 +		  log("ROOT LOGIN as '%.100s' from %.100s",
 +		      pw->pw_name, from_host);
 +
-+		/* Log before ghT!
-+sending the reply */
+ 		/* Log before sending the reply */
  		auth_log(authctxt, authenticated, get_authname(type), info);
  
 +#ifdef USE_PAM
@@ -179,7 +177,7 @@
  		if (authenticated)
  			return;
  
-@@ -354,6 +464,11 @@
+@@ -354,6 +463,11 @@
  		authctxt->valid = 1;
  	else
  		debug("do_authentication: illegal user %s", user);
diff --git a/security/openssh/files/patch-auth2-chall.c b/security/openssh/files/patch-auth2-chall.c
index 80470f799fd8..6345cf58a798 100644
--- a/security/openssh/files/patch-auth2-chall.c
+++ b/security/openssh/files/patch-auth2-chall.c
@@ -27,62 +27,3 @@
  	NULL
  };
  
-@@ -63,6 +63,7 @@
- 	char *devices;
- 	void *ctxt;
- 	KbdintDevice *device;
-+	u_int nreq;
- };
- 
- static KbdintAuthctxt *
-@@ -90,6 +91,7 @@
- 	debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
- 	kbdintctxt->ctxt = NULL;
- 	kbdintctxt->device = NULL;
-+	kbdintctxt->nreq = 0;
- 
- 	return kbdintctxt;
- }
-@@ -209,26 +211,26 @@
- 	KbdintAuthctxt *kbdintctxt;
- 	char *name, *instr, **prompts;
- 	int i;
--	u_int numprompts, *echo_on;
-+	u_int *echo_on;
- 
- 	kbdintctxt = authctxt->kbdintctxt;
- 	if (kbdintctxt->device->query(kbdintctxt->ctxt,
--	    &name, &instr, &numprompts, &prompts, &echo_on))
-+	    &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
- 		return 0;
- 
- 	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
- 	packet_put_cstring(name);
- 	packet_put_cstring(instr);
- 	packet_put_cstring("");		/* language not used */
--	packet_put_int(numprompts);
--	for (i = 0; i < numprompts; i++) {
-+	packet_put_int(kbdintctxt->nreq);
-+	for (i = 0; i < kbdintctxt->nreq; i++) {
- 		packet_put_cstring(prompts[i]);
- 		packet_put_char(echo_on[i]);
- 	}
- 	packet_send();
- 	packet_write_wait();
- 
--	for (i = 0; i < numprompts; i++)
-+	for (i = 0; i < kbdintctxt->nreq; i++)
- 		xfree(prompts[i]);
- 	xfree(prompts);
- 	xfree(echo_on);
-@@ -256,6 +258,10 @@
- 
- 	authctxt->postponed = 0;	/* reset */
- 	nresp = packet_get_int();
-+	if (nresp != kbdintctxt->nreq)
-+		fatal("input_userauth_info_response: wrong number of replies");
-+	if (nresp > 100)
-+		fatal("input_userauth_info_response: too many replies");
- 	if (nresp > 0) {
- 		response = xmalloc(nresp * sizeof(char*));
- 		for (i = 0; i < nresp; i++)
diff --git a/security/openssh/files/patch-session.c b/security/openssh/files/patch-session.c
index ab101d928a4c..e93a8a212829 100644
--- a/security/openssh/files/patch-session.c
+++ b/security/openssh/files/patch-session.c
@@ -1,5 +1,5 @@
---- session.c.orig	Wed Jun 26 14:23:47 2002
-+++ session.c	Wed Jun 26 16:38:27 2002
+--- session.c.orig	Wed Jun 26 17:32:54 2002
++++ session.c	Wed Jun 26 18:05:16 2002
 @@ -58,6 +58,13 @@
  #include "session.h"
  #include "monitor_wrap.h"
@@ -39,12 +39,30 @@
  		 * Create a new session and process group since the 4.4BSD
  		 * setlogin() affects the entire process group.
  		 */
-@@ -545,11 +563,24 @@
+@@ -539,17 +557,42 @@
+ {
+ 	int fdout, ptyfd, ttyfd, ptymaster;
+ 	pid_t pid;
++#ifdef USE_PAM
++	const char *shorttty;
++#endif /* USE_PAM */
+ 
+ 	if (s == NULL)
+ 		fatal("do_exec_pty: no session");
  	ptyfd = s->ptyfd;
  	ttyfd = s->ttyfd;
  
 +#ifdef USE_PAM
-+	do_pam_session(s->pw->pw_name, s->tty);
++	/* check if we have a pathname in the ttyname */
++	shorttty = rindex( s->tty, '/' );
++	if (shorttty != NULL ) {
++		/* use only the short filename to check */
++		shorttty ++;
++	} else {
++		/* nothing found, use the whole name found */
++		shorttty = s->tty;
++	}
++	do_pam_session(s->pw->pw_name, shorttty);
 +	do_pam_setcred();
 +#endif /* USE_PAM */
 +
@@ -64,7 +82,7 @@
  		/* Close the master side of the pseudo tty. */
  		close(ptyfd);
  
-@@ -638,6 +669,18 @@
+@@ -638,6 +681,18 @@
  	struct sockaddr_storage from;
  	struct passwd * pw = s->pw;
  	pid_t pid = getpid();
@@ -83,7 +101,7 @@
  
  	/*
  	 * Get IP address of client. If the connection is not a socket, let
-@@ -660,10 +703,97 @@
+@@ -660,10 +715,97 @@
  		    options.verify_reverse_mapping),
  		    (struct sockaddr *)&from);
  
@@ -182,7 +200,7 @@
  		time_string = ctime(&s->last_login_time);
  		if (strchr(time_string, '\n'))
  			*strchr(time_string, '\n') = 0;
-@@ -674,7 +804,30 @@
+@@ -674,7 +816,30 @@
  			    s->hostname);
  	}
  
@@ -214,7 +232,7 @@
  }
  
  /*
-@@ -690,9 +843,9 @@
+@@ -690,9 +855,9 @@
  #ifdef HAVE_LOGIN_CAP
  		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
  		    "/etc/motd"), "r");
@@ -226,7 +244,7 @@
  		if (f) {
  			while (fgets(buf, sizeof(buf), f))
  				fputs(buf, stdout);
-@@ -719,10 +872,10 @@
+@@ -719,10 +884,10 @@
  #ifdef HAVE_LOGIN_CAP
  	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
  		return 1;
@@ -239,7 +257,7 @@
  	return 0;
  }
  
-@@ -806,12 +959,39 @@
+@@ -813,12 +978,39 @@
  	fclose(f);
  }
  
@@ -279,7 +297,7 @@
  	struct passwd *pw = s->pw;
  
  	/* Initialize the environment. */
-@@ -820,16 +1000,33 @@
+@@ -827,16 +1019,33 @@
  	env[0] = NULL;
  
  	if (!options.use_login) {
@@ -316,7 +334,7 @@
  
  		snprintf(buf, sizeof buf, "%.200s/%.50s",
  			 _PATH_MAILDIR, pw->pw_name);
-@@ -882,6 +1079,10 @@
+@@ -889,6 +1098,10 @@
  		child_set_env(&env, &envsize, "KRB5CCNAME",
  		    s->authctxt->krb5_ticket_file);
  #endif
@@ -327,7 +345,7 @@
  	if (auth_sock_name != NULL)
  		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
  		    auth_sock_name);
-@@ -998,7 +1199,7 @@
+@@ -1005,7 +1218,7 @@
  	if (getuid() == 0 || geteuid() == 0) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,
@@ -336,7 +354,7 @@
  			perror("unable to set user context");
  			exit(1);
  		}
-@@ -1038,6 +1239,36 @@
+@@ -1045,6 +1258,36 @@
  	exit(1);
  }
  
@@ -373,7 +391,7 @@
  /*
   * Performs common processing for the child, such as setting up the
   * environment, closing extra file descriptors, setting the user and group
-@@ -1116,7 +1347,7 @@
+@@ -1123,7 +1366,7 @@
  	 * initgroups, because at least on Solaris 2.3 it leaves file
  	 * descriptors open.
  	 */
@@ -382,7 +400,7 @@
  		close(i);
  
  	/*
-@@ -1146,6 +1377,31 @@
+@@ -1153,6 +1396,31 @@
  			exit(1);
  #endif
  	}