aboutsummaryrefslogtreecommitdiff
path: root/security/hpn-ssh
diff options
context:
space:
mode:
Diffstat (limited to 'security/hpn-ssh')
-rw-r--r--security/hpn-ssh/Makefile145
-rw-r--r--security/hpn-ssh/distinfo2
-rw-r--r--security/hpn-ssh/files/auth2-pam-freebsd.c336
-rw-r--r--security/hpn-ssh/files/batch.patch36
-rw-r--r--security/hpn-ssh/files/patch-Makefile.in11
-rw-r--r--security/hpn-ssh/files/patch-auth.c29
-rw-r--r--security/hpn-ssh/files/patch-auth1.c64
-rw-r--r--security/hpn-ssh/files/patch-auth2-chall.c48
-rw-r--r--security/hpn-ssh/files/patch-auth2.c68
-rw-r--r--security/hpn-ssh/files/patch-clientloop.c11
-rw-r--r--security/hpn-ssh/files/patch-loginrec.c25
-rw-r--r--security/hpn-ssh/files/patch-monitor.c137
-rw-r--r--security/hpn-ssh/files/patch-monitor.h13
-rw-r--r--security/hpn-ssh/files/patch-monitor_wrap.c107
-rw-r--r--security/hpn-ssh/files/patch-monitor_wrap.h13
-rw-r--r--security/hpn-ssh/files/patch-session.c334
-rw-r--r--security/hpn-ssh/files/patch-sshd.c31
-rw-r--r--security/hpn-ssh/files/patch-sshd_config18
-rw-r--r--security/hpn-ssh/files/patch-sshpty.c12
-rw-r--r--security/hpn-ssh/files/patch-stderr-after-eof.sh11
-rw-r--r--security/hpn-ssh/files/servconf.c.patch17
-rw-r--r--security/hpn-ssh/files/sshd.sh24
-rw-r--r--security/hpn-ssh/pkg-comment1
-rw-r--r--security/hpn-ssh/pkg-descr15
-rw-r--r--security/hpn-ssh/pkg-message17
-rw-r--r--security/hpn-ssh/pkg-plist38
26 files changed, 0 insertions, 1563 deletions
diff --git a/security/hpn-ssh/Makefile b/security/hpn-ssh/Makefile
deleted file mode 100644
index 096b45944305..000000000000
--- a/security/hpn-ssh/Makefile
+++ /dev/null
@@ -1,145 +0,0 @@
-# New ports collection makefile for: openssh
-# Date created: 18 Mar 1999
-# Whom: dwcjr@inethouston.net
-#
-# $FreeBSD$
-#
-
-PORTNAME= openssh
-PORTVERSION= 3.5p1
-CATEGORIES= security ipv6
-MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
- ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/
-PKGNAMESUFFIX?= -portable
-
-MAINTAINER= dinoex@FreeBSD.org
-
-MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1
-MLINKS= ssh.1 slogin.1
-MAN5= ssh_config.5 sshd_config.5
-MAN8= sftp-server.8 sshd.8 ssh-keysign.8
-
-CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto
-GNU_CONFIGURE= yes
-CONFIGURE_ARGS+= --prefix=${PREFIX} --with-md5-passwords
-PRECIOUS= ssh_config sshd_config \
- ssh_host_key ssh_host_key.pub \
- ssh_host_rsa_key ssh_host_rsa_key.pub \
- ssh_host_dsa_key ssh_host_dsa_key.pub
-ETCOLD= ${PREFIX}/etc
-ADDME+= auth2-pam-freebsd.c
-
-.if exists(/usr/include/security/pam_modules.h)
-CONFIGURE_ARGS+= --with-pam
-.endif
-
-.if exists(/usr/include/tcpd.h)
-CONFIGURE_ARGS+= --with-tcp-wrappers
-.endif
-
-.if !defined(ENABLE_SUID_SSH)
-CONFIGURE_ARGS+= --disable-suid-ssh
-.endif
-
-.if defined(OPENSSH_OVERWRITE_BASE)
-USE_OPENSSL_BASE= yes
-PKGNAMESUFFIX= -overwrite-base
-PREFIX= /usr
-MANPREFIX= ${PREFIX}/share
-CONFIGURE_ARGS+= --mandir=${MANPREFIX}/man --localstatedir=/var
-EMPTYDIR= /var/empty
-ETCSSH= /etc/ssh
-PLIST_SUB+= NOTBASE="@comment "
-PLIST_SUB+= BASE=""
-PKGMESSAGE= pkg-message.empty
-.else
-.if exists(/var/empty)
-EMPTYDIR= /var/empty
-.else
-EMPTYDIR= ${PREFIX}/empty
-.endif
-ETCSSH= ${PREFIX}/etc/ssh
-PLIST_SUB+= NOTBASE=""
-PLIST_SUB+= BASE="@comment "
-.endif
-PLIST_SUB+= EMPTYDIR=${EMPTYDIR}
-CONFIGURE_ARGS+= --sysconfdir=${ETCSSH}
-CONFIGURE_ARGS+= --with-privsep-path=${EMPTYDIR}
-
-.if defined(BATCH)
-EXTRA_PATCHES+= ${FILESDIR}/batch.patch
-.endif
-
-post-extract:
-.for i in ${ADDME}
- @${CP} ${FILESDIR}/${i} ${WRKSRC}/
-.endfor
-
-.if defined(KRB5_HOME) && exists(${KRB5_HOME})
-BROKEN= patch conflicts with 3.5p1
-PKGNAMESUFFIX= -gssapi
-GSSAPI_PATCH= ${PORTNAME}-3.4p1-gssapi-20020627.diff
-GSSAPI_SITE= http://www.sxw.org.uk/computing/patches/
-MASTER_SITES+= ${GSSAPI_SITE}
-DISTFILES= ${EXTRACT_ONLY} ${GSSAPI_PATCH}
-EXTRACT_ONLY= ${PORTNAME}-${PORTVERSION}${EXTRACT_SUFX}
-EXTRA_PATCHES+= ${FILESDIR}/servconf.c.patch
-BUILD_DEPENDS= autoconf:${PORTSDIR}/devel/autoconf
-# USE_AUTOCONF_VER= 252 # broken
-CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME}
-AUTOCONF= autoconf
-AUTOHEADER= autoheader
-
-post-patch:
- @${ECHO_MSG} Applying extra patch for GSS-API key-exchange...
- @${PATCH} ${PATCH_DIST_ARGS:S/-p0/-p1/} \
- < ${DISTDIR}/${GSSAPI_PATCH}
-
-pre-configure:
- @${ECHO_MSG} !!!! Warning this option uses autoconf/autoheader !!!
- (cd ${CONFIGURE_WRKSRC} && ${SETENV} ${AUTOCONF_ENV} ${AUTOCONF} \
- ${AUTOCONF_ARGS})
- (cd ${CONFIGURE_WRKSRC} && ${SETENV} ${AUTOCONF_ENV} ${AUTOHEADER})
-.endif
-
-post-configure:
- ${SED} -e 's:__PREFIX__:${PREFIX}:g' \
- ${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh
-
-pre-install:
-.if defined(OPENSSH_OVERWRITE_BASE)
- -${MKDIR} ${EMPTYDIR}
-.else
- -${MKDIR} ${PREFIX}/empty
-.endif
- if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi
- if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \
- -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi
- -@[ ! -d ${ETCSSH} ] && ${MKDIR} ${ETCSSH}
-.for i in ${PRECIOUS}
- -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \
- ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \
- ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i}
-.endfor
-
-post-install:
-.if !defined(OPENSSH_OVERWRITE_BASE)
- ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample
-.endif
- ${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist
- ${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist
-.if !defined(OPENSSH_OVERWRITE_BASE)
- @${CAT} ${PKGMESSAGE}
-.endif
-
-test:
- (cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} \
- PATH=${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
- ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} )
-
-.include <bsd.port.pre.mk>
-
-.include "${PORTSDIR}/security/openssl/Makefile.ssl"
-CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
-
-.include <bsd.port.post.mk>
diff --git a/security/hpn-ssh/distinfo b/security/hpn-ssh/distinfo
deleted file mode 100644
index 17bee19d09e1..000000000000
--- a/security/hpn-ssh/distinfo
+++ /dev/null
@@ -1,2 +0,0 @@
-MD5 (openssh-3.5p1.tar.gz) = 42bd78508d208b55843c84dd54dea848
-MD5 (openssh-3.4p1-gssapi-20020627.diff) = bd58f041a44538ab532efe261c904973
diff --git a/security/hpn-ssh/files/auth2-pam-freebsd.c b/security/hpn-ssh/files/auth2-pam-freebsd.c
deleted file mode 100644
index 8840a61f93a7..000000000000
--- a/security/hpn-ssh/files/auth2-pam-freebsd.c
+++ /dev/null
@@ -1,336 +0,0 @@
-/*-
- * Copyright (c) 2002 Networks Associates Technology, Inc.
- * All rights reserved.
- *
- * This software was developed for the FreeBSD Project by ThinkSec AS and
- * NAI Labs, the Security Research Division of Network Associates, Inc.
- * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
- * DARPA CHATS research program.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior written
- * permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$FreeBSD: /tmp/pcvs/ports/security/hpn-ssh/files/Attic/auth2-pam-freebsd.c,v 1.4 2002-10-17 04:40:20 dinoex Exp $");
-
-#ifdef USE_PAM
-#include <security/pam_appl.h>
-
-#include "auth.h"
-#include "buffer.h"
-#include "bufaux.h"
-#include "log.h"
-#include "monitor_wrap.h"
-#include "msg.h"
-#include "packet.h"
-#include "ssh2.h"
-#include "xmalloc.h"
-
-struct pam_ctxt {
- char *pam_user;
- pid_t pam_pid;
- int pam_sock;
- int pam_done;
-};
-
-static void pam_free_ctx(void *);
-
-/*
- * Conversation function for child process.
- */
-static int
-pam_child_conv(int n,
- const struct pam_message **msg,
- struct pam_response **resp,
- void *data)
-{
- Buffer buffer;
- struct pam_ctxt *ctxt;
- int i;
-
- ctxt = data;
- if (n <= 0 || n > PAM_MAX_NUM_MSG)
- return (PAM_CONV_ERR);
- *resp = xmalloc(n * sizeof **resp);
- buffer_init(&buffer);
- for (i = 0; i < n; ++i) {
- resp[i]->resp_retcode = 0;
- resp[i]->resp = NULL;
- switch (msg[i]->msg_style) {
- case PAM_PROMPT_ECHO_OFF:
- buffer_put_cstring(&buffer, msg[i]->msg);
- ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer);
- ssh_msg_recv(ctxt->pam_sock, &buffer);
- if (buffer_get_char(&buffer) != PAM_AUTHTOK)
- goto fail;
- resp[i]->resp = buffer_get_string(&buffer, NULL);
- break;
- case PAM_PROMPT_ECHO_ON:
- buffer_put_cstring(&buffer, msg[i]->msg);
- ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer);
- ssh_msg_recv(ctxt->pam_sock, &buffer);
- if (buffer_get_char(&buffer) != PAM_AUTHTOK)
- goto fail;
- resp[i]->resp = buffer_get_string(&buffer, NULL);
- break;
- case PAM_ERROR_MSG:
- buffer_put_cstring(&buffer, msg[i]->msg);
- ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer);
- break;
- case PAM_TEXT_INFO:
- buffer_put_cstring(&buffer, msg[i]->msg);
- ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer);
- break;
- default:
- goto fail;
- }
- buffer_clear(&buffer);
- }
- buffer_free(&buffer);
- return (PAM_SUCCESS);
- fail:
- while (i)
- xfree(resp[--i]);
- xfree(*resp);
- *resp = NULL;
- buffer_free(&buffer);
- return (PAM_CONV_ERR);
-}
-
-/*
- * Child process.
- */
-static void *
-pam_child(struct pam_ctxt *ctxt)
-{
- Buffer buffer;
- struct pam_conv pam_conv;
- pam_handle_t *pamh;
- int pam_err;
-
- pam_conv.conv = pam_child_conv;
- pam_conv.appdata_ptr = ctxt;
- buffer_init(&buffer);
- setproctitle("%s [pam]", ctxt->pam_user);
- pam_err = pam_start("sshd", ctxt->pam_user, &pam_conv, &pamh);
- if (pam_err != PAM_SUCCESS)
- goto auth_fail;
- pam_err = pam_authenticate(pamh, 0);
- if (pam_err != PAM_SUCCESS)
- goto auth_fail;
- pam_err = pam_acct_mgmt(pamh, 0);
- if (pam_err != PAM_SUCCESS)
- goto auth_fail;
- buffer_put_cstring(&buffer, "OK");
- ssh_msg_send(ctxt->pam_sock, PAM_SUCCESS, &buffer);
- buffer_free(&buffer);
- pam_end(pamh, pam_err);
- exit(0);
- auth_fail:
- buffer_put_cstring(&buffer, pam_strerror(pamh, pam_err));
- ssh_msg_send(ctxt->pam_sock, PAM_AUTH_ERR, &buffer);
- buffer_free(&buffer);
- pam_end(pamh, pam_err);
- exit(0);
-}
-
-static void
-pam_cleanup(void *ctxtp)
-{
- struct pam_ctxt *ctxt = ctxtp;
- int status;
-
- close(ctxt->pam_sock);
- kill(ctxt->pam_pid, SIGHUP);
- waitpid(ctxt->pam_pid, &status, 0);
-}
-
-static void *
-pam_init_ctx(Authctxt *authctxt)
-{
- struct pam_ctxt *ctxt;
- int socks[2];
- int i;
-
- ctxt = xmalloc(sizeof *ctxt);
- ctxt->pam_user = xstrdup(authctxt->user);
- ctxt->pam_done = 0;
- if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
- error("%s: failed create sockets: %s",
- __func__, strerror(errno));
- xfree(ctxt);
- return (NULL);
- }
- if ((ctxt->pam_pid = fork()) == -1) {
- error("%s: failed to fork auth-pam child: %s",
- __func__, strerror(errno));
- close(socks[0]);
- close(socks[1]);
- xfree(ctxt);
- return (NULL);
- }
- if (ctxt->pam_pid == 0) {
- /* close everything except our end of the pipe */
- ctxt->pam_sock = socks[1];
- for (i = 3; i < getdtablesize(); ++i)
- if (i != ctxt->pam_sock)
- close(i);
- pam_child(ctxt);
- /* not reached */
- exit(1);
- }
- ctxt->pam_sock = socks[0];
- close(socks[1]);
- fatal_add_cleanup(pam_cleanup, ctxt);
- return (ctxt);
-}
-
-static int
-pam_query(void *ctx, char **name, char **info,
- u_int *num, char ***prompts, u_int **echo_on)
-{
- Buffer buffer;
- struct pam_ctxt *ctxt = ctx;
- size_t plen;
- u_char type;
- char *msg;
-
- buffer_init(&buffer);
- *name = xstrdup("");
- *info = xstrdup("");
- *prompts = xmalloc(sizeof(char *));
- **prompts = NULL;
- plen = 0;
- *echo_on = xmalloc(sizeof(u_int));
- while (ssh_msg_recv(ctxt->pam_sock, &buffer) == 0) {
- type = buffer_get_char(&buffer);
- msg = buffer_get_string(&buffer, NULL);
- switch (type) {
- case PAM_PROMPT_ECHO_ON:
- case PAM_PROMPT_ECHO_OFF:
- *num = 1;
- **prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
- plen += sprintf(**prompts + plen, "%s", msg);
- **echo_on = (type == PAM_PROMPT_ECHO_ON);
- xfree(msg);
- return (0);
- case PAM_ERROR_MSG:
- case PAM_TEXT_INFO:
- /* accumulate messages */
- **prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
- plen += sprintf(**prompts + plen, "%s", msg);
- xfree(msg);
- break;
- case PAM_SUCCESS:
- case PAM_AUTH_ERR:
- if (**prompts != NULL) {
- /* drain any accumulated messages */
-#if 0 /* not compatible with privsep */
- packet_start(SSH2_MSG_USERAUTH_BANNER);
- packet_put_cstring(**prompts);
- packet_put_cstring("");
- packet_send();
- packet_write_wait();
-#endif
- xfree(**prompts);
- **prompts = NULL;
- }
- if (type == PAM_SUCCESS) {
- *num = 0;
- **echo_on = 0;
- ctxt->pam_done = 1;
- xfree(msg);
- return (0);
- }
- error("%s", msg);
- default:
- *num = 0;
- **echo_on = 0;
- xfree(msg);
- ctxt->pam_done = -1;
- return (-1);
- }
- }
- return (-1);
-}
-
-static int
-pam_respond(void *ctx, u_int num, char **resp)
-{
- Buffer buffer;
- struct pam_ctxt *ctxt = ctx;
- char *msg;
-
- debug2(__func__);
- switch (ctxt->pam_done) {
- case 1:
- return (0);
- case 0:
- break;
- default:
- return (-1);
- }
- if (num != 1) {
- error("expected one response, got %u", num);
- return (-1);
- }
- buffer_init(&buffer);
- buffer_put_cstring(&buffer, *resp);
- ssh_msg_send(ctxt->pam_sock, PAM_AUTHTOK, &buffer);
- buffer_free(&buffer);
- return (1);
-}
-
-static void
-pam_free_ctx(void *ctxtp)
-{
- struct pam_ctxt *ctxt = ctxtp;
- int status;
-
- fatal_remove_cleanup(pam_cleanup, ctxt);
- close(ctxt->pam_sock);
- kill(ctxt->pam_pid, SIGHUP);
- waitpid(ctxt->pam_pid, &status, 0);
- xfree(ctxt->pam_user);
- xfree(ctxt);
-}
-
-KbdintDevice pam_device = {
- "pam",
- pam_init_ctx,
- pam_query,
- pam_respond,
- pam_free_ctx
-};
-
-KbdintDevice mm_pam_device = {
- "pam",
- mm_pam_init_ctx,
- mm_pam_query,
- mm_pam_respond,
- mm_pam_free_ctx
-};
-
-#endif /* USE_PAM */
diff --git a/security/hpn-ssh/files/batch.patch b/security/hpn-ssh/files/batch.patch
deleted file mode 100644
index 1e99a5d92180..000000000000
--- a/security/hpn-ssh/files/batch.patch
+++ /dev/null
@@ -1,36 +0,0 @@
---- Makefile.in.orig Sun Jul 14 19:02:21 2002
-+++ Makefile.in Sat Oct 26 05:49:23 2002
-@@ -198,7 +198,7 @@
- $(AUTORECONF)
- (cd scard && $(MAKE) -f Makefile.in distprep)
-
--install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key check-config
-+install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files check-config
- install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
-
- check-config:
-@@ -251,24 +251,6 @@
- ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
- if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
- $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
-- fi
-- @if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
-- $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
-- else \
-- echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
-- fi
-- @if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
-- $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
-- else \
-- echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
-- fi
-- @if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \
-- $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \
-- if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \
-- $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \
-- else \
-- echo "$(DESTDIR)$(sysconfdir)/ssh_prng_cmds already exists, install will not overwrite"; \
-- fi ; \
- fi
- @if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
- if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
diff --git a/security/hpn-ssh/files/patch-Makefile.in b/security/hpn-ssh/files/patch-Makefile.in
deleted file mode 100644
index d354787aeee4..000000000000
--- a/security/hpn-ssh/files/patch-Makefile.in
+++ /dev/null
@@ -1,11 +0,0 @@
---- Makefile.in.orig Wed Jun 26 01:45:42 2002
-+++ Makefile.in Mon Jul 22 07:24:41 2002
-@@ -70,6 +70,8 @@
- MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
- MANTYPE = @MANTYPE@
-
-+SSHDOBJS+= auth2-pam-freebsd.o
-+
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
- CONFIGFILES_IN=sshd_config ssh_config moduli
-
diff --git a/security/hpn-ssh/files/patch-auth.c b/security/hpn-ssh/files/patch-auth.c
deleted file mode 100644
index e8f640a16936..000000000000
--- a/security/hpn-ssh/files/patch-auth.c
+++ /dev/null
@@ -1,29 +0,0 @@
---- auth.c.orig Tue Mar 5 02:42:43 2002
-+++ auth.c Sun Mar 17 20:53:15 2002
-@@ -193,6 +193,17 @@
- }
- #endif /* WITH_AIXAUTHENTICATE */
-
-+#ifdef __FreeBSD__
-+ /* Fail if the account's expiration time has passed. */
-+ if (pw->pw_expire != 0) {
-+ struct timeval tv;
-+
-+ (void)gettimeofday(&tv, NULL);
-+ if (tv.tv_sec >= pw->pw_expire)
-+ return 0;
-+ }
-+#endif /* __FreeBSD__ */
-+
- /* We found no reason not to let this user try to log on... */
- return 1;
- }
-@@ -490,7 +480,7 @@
- if (pw == NULL || !allowed_user(pw))
- return (NULL);
- #ifdef HAVE_LOGIN_CAP
-- if ((lc = login_getclass(pw->pw_class)) == NULL) {
-+ if ((lc = login_getpwclass(pw)) == NULL) {
- debug("unable to get login class: %s", user);
- return (NULL);
- }
diff --git a/security/hpn-ssh/files/patch-auth1.c b/security/hpn-ssh/files/patch-auth1.c
deleted file mode 100644
index e8ecdbef3917..000000000000
--- a/security/hpn-ssh/files/patch-auth1.c
+++ /dev/null
@@ -1,64 +0,0 @@
---- auth1.c.orig Fri Jun 21 08:21:11 2002
-+++ auth1.c Fri Jun 28 06:57:42 2002
-@@ -26,6 +26,7 @@
- #include "session.h"
- #include "uidswap.h"
- #include "monitor_wrap.h"
-+#include "canohost.h"
-
- /* import */
- extern ServerOptions options;
-@@ -75,6 +76,18 @@
- u_int ulen;
- int type = 0;
- struct passwd *pw = authctxt->pw;
-+#ifdef HAVE_LOGIN_CAP
-+ login_cap_t *lc;
-+#endif
-+#ifdef USE_PAM
-+ struct inverted_pam_cookie *pam_cookie;
-+#endif /* USE_PAM */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
-+ const char *from_host, *from_ip;
-+
-+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
-+ from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
-
- debug("Attempting authentication for %s%.100s.",
- authctxt->valid ? "" : "illegal user ", authctxt->user);
-@@ -282,6 +295,34 @@
- log("Unknown message during authentication: type %d", type);
- break;
- }
-+
-+#ifdef HAVE_LOGIN_CAP
-+ if (pw != NULL) {
-+ lc = login_getpwclass(pw);
-+ if (lc == NULL)
-+ lc = login_getclassbyname(NULL, pw);
-+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ log("Denied connection for %.200s from %.200s [%.200s].",
-+ pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+ if (!auth_timeok(lc, time(NULL))) {
-+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+ pw->pw_name, from_host);
-+ packet_disconnect("Logins not available right now.");
-+ }
-+ login_close(lc);
-+ lc = NULL;
-+ }
-+#endif /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS
-+ if (pw != NULL && !login_access(pw->pw_name, from_host)) {
-+ log("Denied connection for %.200s from %.200s [%.200s].",
-+ pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+#endif /* LOGIN_ACCESS */
-+
- #ifdef BSD_AUTH
- if (authctxt->as) {
- auth_close(authctxt->as);
diff --git a/security/hpn-ssh/files/patch-auth2-chall.c b/security/hpn-ssh/files/patch-auth2-chall.c
deleted file mode 100644
index 77b5778ac6af..000000000000
--- a/security/hpn-ssh/files/patch-auth2-chall.c
+++ /dev/null
@@ -1,48 +0,0 @@
---- auth2-chall.c.orig Wed Jun 26 15:58:40 2002
-+++ auth2-chall.c Sun Jun 30 07:12:43 2002
-@@ -41,6 +42,9 @@
- #ifdef BSD_AUTH
- extern KbdintDevice bsdauth_device;
- #else
-+#ifdef USE_PAM
-+extern KbdintDevice pam_device;
-+#endif
- #ifdef SKEY
- extern KbdintDevice skey_device;
- #endif
-@@ -50,6 +54,9 @@
- #ifdef BSD_AUTH
- &bsdauth_device,
- #else
-+#ifdef USE_PAM
-+ &pam_device,
-+#endif
- #ifdef SKEY
- &skey_device,
- #endif
-@@ -323,15 +330,22 @@
- #ifdef BSD_AUTH
- extern KbdintDevice mm_bsdauth_device;
- #endif
-+#ifdef USE_PAM
-+ extern KbdintDevice mm_pam_device;
-+#endif
- #ifdef SKEY
- extern KbdintDevice mm_skey_device;
- #endif
-- /* As long as SSHv1 has devices[0] hard coded this is fine */
-+ int n = 0;
-+
- #ifdef BSD_AUTH
-- devices[0] = &mm_bsdauth_device;
-+ devices[n++] = &mm_bsdauth_device;
- #else
-+#ifdef USE_PAM
-+ devices[n++] = &mm_pam_device;
-+#endif
- #ifdef SKEY
-- devices[0] = &mm_skey_device;
-+ devices[n++] = &mm_skey_device;
- #endif
- #endif
- }
diff --git a/security/hpn-ssh/files/patch-auth2.c b/security/hpn-ssh/files/patch-auth2.c
deleted file mode 100644
index 8d999bf1bbd9..000000000000
--- a/security/hpn-ssh/files/patch-auth2.c
+++ /dev/null
@@ -1,68 +0,0 @@
---- auth2.c.orig Fri Jun 21 08:21:11 2002
-+++ auth2.c Fri Jun 28 06:57:56 2002
-@@ -35,6 +35,7 @@
- #include "dispatch.h"
- #include "pathnames.h"
- #include "monitor_wrap.h"
-+#include "canohost.h"
-
- /* import */
- extern ServerOptions options;
-@@ -137,6 +138,15 @@
- Authmethod *m = NULL;
- char *user, *service, *method, *style = NULL;
- int authenticated = 0;
-+#ifdef HAVE_LOGIN_CAP
-+ login_cap_t *lc;
-+#endif /* HAVE_LOGIN_CAP */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
-+ const char *from_host, *from_ip;
-+
-+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
-+ from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
-
- if (authctxt == NULL)
- fatal("input_userauth_request: no authctxt");
-@@ -178,6 +188,41 @@
- "(%s,%s) -> (%s,%s)",
- authctxt->user, authctxt->service, user, service);
- }
-+
-+#ifdef HAVE_LOGIN_CAP
-+ if (authctxt->pw != NULL) {
-+ lc = login_getpwclass(authctxt->pw);
-+ if (lc == NULL)
-+ lc = login_getclassbyname(NULL, authctxt->pw);
-+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ log("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+ if (!auth_timeok(lc, time(NULL))) {
-+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+ authctxt->pw->pw_name, from_host);
-+ packet_disconnect("Logins not available right now.");
-+ }
-+ login_close(lc);
-+ lc = NULL;
-+ }
-+#endif /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS
-+ if (authctxt->pw != NULL &&
-+ !login_access(authctxt->pw->pw_name, from_host)) {
-+ log("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+#endif /* LOGIN_ACCESS */
-+#ifdef BSD_AUTH
-+ if (authctxt->as) {
-+ auth_close(authctxt->as);
-+ authctxt->as = NULL;
-+ }
-+#endif
-+
- /* reset state */
- auth2_challenge_stop(authctxt);
- authctxt->postponed = 0;
diff --git a/security/hpn-ssh/files/patch-clientloop.c b/security/hpn-ssh/files/patch-clientloop.c
deleted file mode 100644
index 67fc4dcb4f6b..000000000000
--- a/security/hpn-ssh/files/patch-clientloop.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- clientloop.c.orig Fri Apr 20 09:17:51 2001
-+++ clientloop.c Sat May 26 15:18:51 2001
-@@ -1131,7 +1131,7 @@
-
- if (strcmp(ctype, "forwarded-tcpip") == 0) {
- c = client_request_forwarded_tcpip(ctype, rchan);
-- } else if (strcmp(ctype, "x11") == 0) {
-+ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
- c = client_request_x11(ctype, rchan);
- } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
- c = client_request_agent(ctype, rchan);
diff --git a/security/hpn-ssh/files/patch-loginrec.c b/security/hpn-ssh/files/patch-loginrec.c
deleted file mode 100644
index 37993edf2097..000000000000
--- a/security/hpn-ssh/files/patch-loginrec.c
+++ /dev/null
@@ -1,25 +0,0 @@
---- loginrec.c.orig Thu Sep 26 02:38:49 2002
-+++ loginrec.c Mon Oct 21 06:51:34 2002
-@@ -172,6 +172,9 @@
- #ifdef HAVE_LIBUTIL_H
- # include <libutil.h>
- #endif
-+#ifdef __FreeBSD__
-+#include <osreldate.h>
-+#endif
-
- /**
- ** prototypes for helper functions in this file
-@@ -654,7 +657,12 @@
- /* Use strncpy because we don't necessarily want null termination */
- strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username));
- # ifdef HAVE_HOST_IN_UTMP
-+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000
- strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname));
-+# else
-+ realhostname_sa(ut->ut_host, sizeof ut->ut_host,
-+ &li->hostaddr.sa, li->hostaddr.sa.sa_len);
-+# endif
- # endif
- # ifdef HAVE_ADDR_IN_UTMP
- /* this is just a 32-bit IP address */
diff --git a/security/hpn-ssh/files/patch-monitor.c b/security/hpn-ssh/files/patch-monitor.c
deleted file mode 100644
index cca169c55f02..000000000000
--- a/security/hpn-ssh/files/patch-monitor.c
+++ /dev/null
@@ -1,137 +0,0 @@
---- monitor.c.orig Wed Jun 26 15:27:11 2002
-+++ monitor.c Mon Jul 15 21:33:45 2002
-@@ -118,6 +118,10 @@
-
- #ifdef USE_PAM
- int mm_answer_pam_start(int, Buffer *);
-+int mm_answer_pam_init_ctx(int, Buffer *);
-+int mm_answer_pam_query(int, Buffer *);
-+int mm_answer_pam_respond(int, Buffer *);
-+int mm_answer_pam_free_ctx(int, Buffer *);
- #endif
-
- static Authctxt *authctxt;
-@@ -156,6 +160,10 @@
- {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
- #ifdef USE_PAM
- {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
-+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
- #endif
- #ifdef BSD_AUTH
- {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-@@ -198,6 +206,10 @@
- #endif
- #ifdef USE_PAM
- {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
-+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
- #endif
- {0, 0, NULL}
- };
-@@ -732,6 +744,101 @@
- xfree(user);
-
- return (0);
-+}
-+
-+static void *pam_ctxt, *pam_authok;
-+extern KbdintDevice pam_device;
-+
-+int
-+mm_answer_pam_init_ctx(int socket, Buffer *m)
-+{
-+
-+ debug3("%s", __func__);
-+ authctxt->user = buffer_get_string(m, NULL);
-+ pam_ctxt = (pam_device.init_ctx)(authctxt);
-+ pam_authok = NULL;
-+ buffer_clear(m);
-+ if (pam_ctxt != NULL) {
-+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
-+ buffer_put_int(m, 1);
-+ } else {
-+ buffer_put_int(m, 0);
-+ }
-+ mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
-+ return (0);
-+}
-+
-+int
-+mm_answer_pam_query(int socket, Buffer *m)
-+{
-+ char *name, *info, **prompts;
-+ u_int num, *echo_on;
-+ int i, ret;
-+
-+ debug3("%s", __func__);
-+ pam_authok = NULL;
-+ ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on);
-+ if (num > 1 || name == NULL || info == NULL)
-+ ret = -1;
-+ buffer_clear(m);
-+ buffer_put_int(m, ret);
-+ buffer_put_cstring(m, name);
-+ xfree(name);
-+ buffer_put_cstring(m, info);
-+ xfree(info);
-+ buffer_put_int(m, num);
-+ for (i = 0; i < num; ++i) {
-+ buffer_put_cstring(m, prompts[i]);
-+ xfree(prompts[i]);
-+ buffer_put_int(m, echo_on[i]);
-+ }
-+ if (prompts != NULL)
-+ xfree(prompts);
-+ if (echo_on != NULL)
-+ xfree(echo_on);
-+ mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
-+ return (0);
-+}
-+
-+int
-+mm_answer_pam_respond(int socket, Buffer *m)
-+{
-+ char **resp;
-+ u_int num;
-+ int i, ret;
-+
-+ debug3("%s", __func__);
-+ pam_authok = NULL;
-+ num = buffer_get_int(m);
-+ if (num > 0) {
-+ resp = xmalloc(num * sizeof(char *));
-+ for (i = 0; i < num; ++i)
-+ resp[i] = buffer_get_string(m, NULL);
-+ ret = (pam_device.respond)(pam_ctxt, num, resp);
-+ for (i = 0; i < num; ++i)
-+ xfree(resp[i]);
-+ xfree(resp);
-+ } else {
-+ ret = (pam_device.respond)(pam_ctxt, num, NULL);
-+ }
-+ buffer_clear(m);
-+ buffer_put_int(m, ret);
-+ mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
-+ auth_method = "keyboard-interactive/pam";
-+ if (ret == 0)
-+ pam_authok = pam_ctxt;
-+ return (0);
-+}
-+
-+int
-+mm_answer_pam_free_ctx(int socket, Buffer *m)
-+{
-+
-+ debug3("%s", __func__);
-+ (pam_device.free_ctx)(pam_ctxt);
-+ buffer_clear(m);
-+ mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
-+ return (pam_authok == pam_ctxt);
- }
- #endif
-
diff --git a/security/hpn-ssh/files/patch-monitor.h b/security/hpn-ssh/files/patch-monitor.h
deleted file mode 100644
index 2c42831b40ab..000000000000
--- a/security/hpn-ssh/files/patch-monitor.h
+++ /dev/null
@@ -1,13 +0,0 @@
---- monitor.h.orig Tue Jun 11 18:42:49 2002
-+++ monitor.h Sun Jun 30 07:13:09 2002
-@@ -50,6 +51,10 @@
- MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
- MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
- MONITOR_REQ_PAM_START,
-+ MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
-+ MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
-+ MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
-+ MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
- MONITOR_REQ_TERM
- };
-
diff --git a/security/hpn-ssh/files/patch-monitor_wrap.c b/security/hpn-ssh/files/patch-monitor_wrap.c
deleted file mode 100644
index 99ad633a6028..000000000000
--- a/security/hpn-ssh/files/patch-monitor_wrap.c
+++ /dev/null
@@ -1,107 +0,0 @@
---- monitor_wrap.c.orig Fri Jun 21 02:43:43 2002
-+++ monitor_wrap.c Sun Jun 30 07:13:18 2002
-@@ -664,6 +665,88 @@
-
- buffer_free(&m);
- }
-+
-+void *
-+mm_pam_init_ctx(Authctxt *authctxt)
-+{
-+ Buffer m;
-+ int success;
-+
-+ debug3("%s", __func__);
-+ buffer_init(&m);
-+ buffer_put_cstring(&m, authctxt->user);
-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
-+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
-+ success = buffer_get_int(&m);
-+ if (success == 0) {
-+ debug3("%s: pam_init_ctx failed", __func__);
-+ buffer_free(&m);
-+ return (NULL);
-+ }
-+ buffer_free(&m);
-+ return (authctxt);
-+}
-+
-+int
-+mm_pam_query(void *ctx, char **name, char **info,
-+ u_int *num, char ***prompts, u_int **echo_on)
-+{
-+ Buffer m;
-+ int i, ret;
-+
-+ debug3("%s", __func__);
-+ buffer_init(&m);
-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
-+ debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
-+ ret = buffer_get_int(&m);
-+ debug3("%s: pam_query returned %d", __func__, ret);
-+ *name = buffer_get_string(&m, NULL);
-+ *info = buffer_get_string(&m, NULL);
-+ *num = buffer_get_int(&m);
-+ *prompts = xmalloc((*num + 1) * sizeof(char *));
-+ *echo_on = xmalloc((*num + 1) * sizeof(u_int));
-+ for (i = 0; i < *num; ++i) {
-+ (*prompts)[i] = buffer_get_string(&m, NULL);
-+ (*echo_on)[i] = buffer_get_int(&m);
-+ }
-+ buffer_free(&m);
-+ return (ret);
-+}
-+
-+int
-+mm_pam_respond(void *ctx, u_int num, char **resp)
-+{
-+ Buffer m;
-+ int i, ret;
-+
-+ debug3("%s", __func__);
-+ buffer_init(&m);
-+ buffer_put_int(&m, num);
-+ for (i = 0; i < num; ++i)
-+ buffer_put_cstring(&m, resp[i]);
-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
-+ debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
-+ ret = buffer_get_int(&m);
-+ debug3("%s: pam_respond returned %d", __func__, ret);
-+ buffer_free(&m);
-+ return (ret);
-+}
-+
-+void
-+mm_pam_free_ctx(void *ctxtp)
-+{
-+ Buffer m;
-+
-+ debug3("%s", __func__);
-+ buffer_init(&m);
-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
-+ debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
-+ buffer_free(&m);
-+}
- #endif /* USE_PAM */
-
- /* Request process termination */
-@@ -767,6 +850,7 @@
- return ((authok == 0) ? -1 : 0);
- }
-
-+#ifdef SKEY
- int
- mm_skey_query(void *ctx, char **name, char **infotxt,
- u_int *numprompts, char ***prompts, u_int **echo_on)
-@@ -829,6 +913,7 @@
-
- return ((authok == 0) ? -1 : 0);
- }
-+#endif
-
- void
- mm_ssh1_session_id(u_char session_id[16])
diff --git a/security/hpn-ssh/files/patch-monitor_wrap.h b/security/hpn-ssh/files/patch-monitor_wrap.h
deleted file mode 100644
index e4495c7ba12e..000000000000
--- a/security/hpn-ssh/files/patch-monitor_wrap.h
+++ /dev/null
@@ -1,13 +0,0 @@
---- monitor_wrap.h.orig Mon May 13 03:07:42 2002
-+++ monitor_wrap.h Sun Jun 30 07:13:18 2002
-@@ -57,6 +58,10 @@
-
- #ifdef USE_PAM
- void mm_start_pam(char *);
-+void *mm_pam_init_ctx(struct Authctxt *);
-+int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **);
-+int mm_pam_respond(void *, u_int, char **);
-+void mm_pam_free_ctx(void *);
- #endif
-
- void mm_terminate(void);
diff --git a/security/hpn-ssh/files/patch-session.c b/security/hpn-ssh/files/patch-session.c
deleted file mode 100644
index 7ec065eab175..000000000000
--- a/security/hpn-ssh/files/patch-session.c
+++ /dev/null
@@ -1,334 +0,0 @@
---- session.c.orig Thu Sep 26 02:38:50 2002
-+++ session.c Mon Oct 21 06:49:56 2002
-@@ -64,6 +64,11 @@
- #define is_winnt (GetVersion() < 0x80000000)
- #endif
-
-+#ifdef __FreeBSD__
-+#include <syslog.h>
-+#define _PATH_CHPASS "/usr/bin/passwd"
-+#endif /* __FreeBSD__ */
-+
- /* func */
-
- Session *session_new(void);
-@@ -469,6 +474,13 @@
- log_init(__progname, options.log_level, options.log_facility, log_stderr);
-
- /*
-+ * Using login and executing a specific "command" are mutually
-+ * exclusive, so turn off use_login if there's a command.
-+ */
-+ if (command != NULL)
-+ options.use_login = 0;
-+
-+ /*
- * Create a new session and process group since the 4.4BSD
- * setlogin() affects the entire process group.
- */
-@@ -574,6 +586,9 @@
- {
- int fdout, ptyfd, ttyfd, ptymaster;
- pid_t pid;
-+#if defined(USE_PAM)
-+ const char *shorttty;
-+#endif
-
- if (s == NULL)
- fatal("do_exec_pty: no session");
-@@ -581,7 +596,16 @@
- ttyfd = s->ttyfd;
-
- #if defined(USE_PAM)
-- do_pam_session(s->pw->pw_name, s->tty);
-+ /* check if we have a pathname in the ttyname */
-+ shorttty = rindex( s->tty, '/' );
-+ if (shorttty != NULL ) {
-+ /* use only the short filename to check */
-+ shorttty ++;
-+ } else {
-+ /* nothing found, use the whole name found */
-+ shorttty = s->tty;
-+ }
-+ do_pam_session(s->pw->pw_name, shorttty);
- do_pam_setcred(1);
- #endif
-
-@@ -591,6 +615,14 @@
-
- /* Child. Reinitialize the log because the pid has changed. */
- log_init(__progname, options.log_level, options.log_facility, log_stderr);
-+
-+ /*
-+ * Using login and executing a specific "command" are mutually
-+ * exclusive, so turn off use_login if there's a command.
-+ */
-+ if (command != NULL)
-+ options.use_login = 0;
-+
- /* Close the master side of the pseudo tty. */
- close(ptyfd);
-
-@@ -724,6 +756,18 @@
- struct sockaddr_storage from;
- struct passwd * pw = s->pw;
- pid_t pid = getpid();
-+#ifdef HAVE_LOGIN_CAP
-+ FILE *f;
-+ char buf[256];
-+ char *fname;
-+ const char *shorttty;
-+#endif /* HAVE_LOGIN_CAP */
-+#ifdef __FreeBSD__
-+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
-+ char *newcommand;
-+ struct timeval tv;
-+ time_t warntime = DEFAULT_WARN;
-+#endif /* __FreeBSD__ */
-
- /*
- * Get IP address of client. If the connection is not a socket, let
-@@ -757,6 +801,72 @@
- }
- #endif
-
-+#ifdef __FreeBSD__
-+ if (pw->pw_change || pw->pw_expire)
-+ (void)gettimeofday(&tv, NULL);
-+#ifdef HAVE_LOGIN_CAP
-+ warntime = login_getcaptime(lc, "warnpassword",
-+ DEFAULT_WARN, DEFAULT_WARN);
-+#endif /* HAVE_LOGIN_CAP */
-+ /*
-+ * If the password change time is set and has passed, give the
-+ * user a password expiry notice and chance to change it.
-+ */
-+ if (pw->pw_change != 0) {
-+ if (tv.tv_sec >= pw->pw_change) {
-+ (void)printf(
-+ "Sorry -- your password has expired.\n");
-+ log("%s Password expired - forcing change",
-+ pw->pw_name);
-+ if (newcommand != NULL)
-+ xfree(newcommand);
-+ newcommand = xstrdup(_PATH_CHPASS);
-+ } else if (pw->pw_change - tv.tv_sec < warntime &&
-+ !check_quietlogin(s, command))
-+ (void)printf(
-+ "Warning: your password expires on %s",
-+ ctime(&pw->pw_change));
-+ }
-+
-+#ifndef USE_PAM
-+ if (pw->pw_expire) {
-+ if (tv.tv_sec >= pw->pw_expire) {
-+ (void)printf(
-+ "Sorry -- your account has expired.\n");
-+ log(
-+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
-+ pw->pw_name, get_remote_name_or_ip(utmp_len,
-+ options.verify_reverse_mapping), s->tty);
-+ exit(254);
-+ } else if (pw->pw_expire - tv.tv_sec < warntime &&
-+ !check_quietlogin(s, command))
-+ (void)printf(
-+ "Warning: your account expires on %s",
-+ ctime(&pw->pw_expire));
-+ }
-+#endif /* !USE_PAM */
-+#endif /* __FreeBSD__ */
-+
-+#ifdef HAVE_LOGIN_CAP
-+ /* check if we have a pathname in the ttyname */
-+ shorttty = rindex( s->tty, '/' );
-+ if (shorttty != NULL ) {
-+ /* use only the short filename to check */
-+ shorttty ++;
-+ } else {
-+ /* nothing found, use the whole name found */
-+ shorttty = s->tty;
-+ }
-+ if (!auth_ttyok(lc, shorttty)) {
-+ (void)printf("Permission denied.\n");
-+ log(
-+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
-+ pw->pw_name, get_remote_name_or_ip(utmp_len,
-+ options.verify_reverse_mapping), s->tty);
-+ exit(254);
-+ }
-+#endif /* HAVE_LOGIN_CAP */
-+
- if (check_quietlogin(s, command))
- return;
-
-@@ -770,7 +880,17 @@
- #endif /* WITH_AIXAUTHENTICATE */
-
- #ifndef NO_SSH_LASTLOG
-- if (options.print_lastlog && s->last_login_time != 0) {
-+ /*
-+ * If the user has logged in before, display the time of last
-+ * login. However, don't display anything extra if a command
-+ * has been specified (so that ssh can be used to execute
-+ * commands on a remote machine without users knowing they
-+ * are going to another machine). Login(1) will do this for
-+ * us as well, so check if login(1) is used
-+ */
-+ if (command == NULL && options.print_lastlog &&
-+ s->last_login_time != 0 &&
-+ !options.use_login) {
- time_string = ctime(&s->last_login_time);
- if (strchr(time_string, '\n'))
- *strchr(time_string, '\n') = 0;
-@@ -782,7 +902,30 @@
- }
- #endif /* NO_SSH_LASTLOG */
-
-- do_motd();
-+#ifdef HAVE_LOGIN_CAP
-+ if (command == NULL &&
-+ !options.use_login) {
-+ fname = login_getcapstr(lc, "copyright", NULL, NULL);
-+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
-+ while (fgets(buf, sizeof(buf), f) != NULL)
-+ fputs(buf, stdout);
-+ fclose(f);
-+ } else
-+ (void)printf("%s\n\t%s %s\n",
-+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
-+ "The Regents of the University of California. ",
-+ "All rights reserved.");
-+ }
-+#endif /* HAVE_LOGIN_CAP */
-+
-+ /*
-+ * Print /etc/motd unless a command was specified or printing
-+ * it was disabled in server options or login(1) will be
-+ * used. Note that some machines appear to print it in
-+ * /etc/profile or similar.
-+ */
-+ if (command == NULL && !options.use_login)
-+ do_motd();
- }
-
- /*
-@@ -798,9 +941,9 @@
- #ifdef HAVE_LOGIN_CAP
- f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
- "/etc/motd"), "r");
--#else
-+#else /* !HAVE_LOGIN_CAP */
- f = fopen("/etc/motd", "r");
--#endif
-+#endif /* HAVE_LOGIN_CAP */
- if (f) {
- while (fgets(buf, sizeof(buf), f))
- fputs(buf, stdout);
-@@ -827,10 +970,10 @@
- #ifdef HAVE_LOGIN_CAP
- if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
- return 1;
--#else
-+#else /* HAVE_LOGIN_CAP */
- if (stat(buf, &st) >= 0)
- return 1;
--#endif
-+#endif /* HAVE_LOGIN_CAP */
- return 0;
- }
-
-@@ -950,6 +1093,10 @@
- char buf[256];
- u_int i, envsize;
- char **env;
-+#ifdef HAVE_LOGIN_CAP
-+ extern char **environ;
-+ char **senv, **var;
-+#endif /* HAVE_LOGIN_CAP */
- struct passwd *pw = s->pw;
-
- /* Initialize the environment. */
-@@ -957,6 +1104,9 @@
- env = xmalloc(envsize * sizeof(char *));
- env[0] = NULL;
-
-+ /* Moved up to resove confict with gsssapi patches */
-+ if (getenv("TZ"))
-+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- #ifdef HAVE_CYGWIN
- /*
- * The Windows environment contains some setting which are
-@@ -998,9 +1148,21 @@
-
- /* Normal systems set SHELL by default. */
- child_set_env(&env, &envsize, "SHELL", shell);
-+#ifdef HAVE_LOGIN_CAP
-+ senv = environ;
-+ environ = xmalloc(sizeof(char *));
-+ *environ = NULL;
-+ if (setusercontext(lc, pw, pw->pw_uid,
-+ LOGIN_SETENV|LOGIN_SETPATH) < 0) {
-+ perror("unable to set user context enviroment");
-+ }
-+ copy_environment(environ, &env, &envsize);
-+ for (var = environ; *var != NULL; ++var)
-+ xfree(*var);
-+ xfree(environ);
-+ environ = senv;
-+#endif /* HAVE_LOGIN_CAP */
- }
-- if (getenv("TZ"))
-- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
-
- /* Set custom environment options from RSA authentication. */
- if (!options.use_login) {
-@@ -1208,7 +1370,7 @@
- setpgid(0, 0);
- # endif
- if (setusercontext(lc, pw, pw->pw_uid,
-- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
-+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) {
- perror("unable to set user context");
- exit(1);
- }
-@@ -1362,7 +1524,7 @@
- * initgroups, because at least on Solaris 2.3 it leaves file
- * descriptors open.
- */
-- for (i = 3; i < 64; i++)
-+ for (i = 3; i < getdtablesize(); i++)
- close(i);
-
- /*
-@@ -1392,6 +1554,31 @@
- exit(1);
- #endif
- }
-+
-+#ifdef __FreeBSD__
-+ if (!options.use_login) {
-+ /*
-+ * If the password change time is set and has passed, give the
-+ * user a password expiry notice and chance to change it.
-+ */
-+ if (pw->pw_change != 0) {
-+ struct timeval tv;
-+
-+ (void)gettimeofday(&tv, NULL);
-+ if (tv.tv_sec >= pw->pw_change) {
-+ (void)printf(
-+ "Sorry -- your password has expired.\n");
-+ syslog(LOG_INFO,
-+ "%s Password expired - forcing change",
-+ pw->pw_name);
-+ if (system("/usr/bin/passwd") != 0) {
-+ perror("/usr/bin/passwd");
-+ exit(1);
-+ }
-+ }
-+ }
-+ }
-+#endif /* __FreeBSD__ */
-
- if (!options.use_login)
- do_rc_files(s, shell);
diff --git a/security/hpn-ssh/files/patch-sshd.c b/security/hpn-ssh/files/patch-sshd.c
deleted file mode 100644
index 09665a42d7bd..000000000000
--- a/security/hpn-ssh/files/patch-sshd.c
+++ /dev/null
@@ -1,31 +0,0 @@
---- sshd.c.orig Wed Jun 26 01:24:19 2002
-+++ sshd.c Thu Jul 25 06:32:37 2002
-@@ -53,6 +53,10 @@
- #include <prot.h>
- #endif
-
-+#ifdef __FreeBSD__
-+#include <resolv.h>
-+#endif
-+
- #include "ssh.h"
- #include "ssh1.h"
- #include "ssh2.h"
-@@ -1409,6 +1413,17 @@
- setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
- sizeof(on)) < 0)
- error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
-+
-+#ifdef __FreeBSD__
-+ /*
-+ * Initialize the resolver. This may not happen automatically
-+ * before privsep chroot().
-+ */
-+ if ((_res.options & RES_INIT) == 0) {
-+ debug("res_init()");
-+ res_init();
-+ }
-+#endif
-
- /*
- * Register our connection. This turns encryption off because we do
diff --git a/security/hpn-ssh/files/patch-sshd_config b/security/hpn-ssh/files/patch-sshd_config
deleted file mode 100644
index 3d84a8c64d0f..000000000000
--- a/security/hpn-ssh/files/patch-sshd_config
+++ /dev/null
@@ -1,18 +0,0 @@
---- sshd_config.orig Fri Jun 21 03:11:36 2002
-+++ sshd_config Wed Jul 3 06:20:47 2002
-@@ -34,6 +34,7 @@
-
- #LoginGraceTime 600
- #PermitRootLogin yes
-+PermitRootLogin no
- #StrictModes yes
-
- #RSAAuthentication yes
-@@ -58,6 +59,7 @@
-
- # Change to no to disable s/key passwords
- #ChallengeResponseAuthentication yes
-+ChallengeResponseAuthentication no
-
- # Kerberos options
- #KerberosAuthentication no
diff --git a/security/hpn-ssh/files/patch-sshpty.c b/security/hpn-ssh/files/patch-sshpty.c
deleted file mode 100644
index 090be41de9ef..000000000000
--- a/security/hpn-ssh/files/patch-sshpty.c
+++ /dev/null
@@ -1,12 +0,0 @@
---- sshpty.c.orig Wed Jun 26 01:21:42 2002
-+++ sshpty.c Fri Jun 28 07:09:38 2002
-@@ -30,6 +30,9 @@
- #ifdef HAVE_PTY_H
- # include <pty.h>
- #endif
-+#ifdef HAVE_LIBUTIL_H
-+#include <libutil.h>
-+#endif
- #if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H)
- # include <sys/stropts.h>
- #endif
diff --git a/security/hpn-ssh/files/patch-stderr-after-eof.sh b/security/hpn-ssh/files/patch-stderr-after-eof.sh
deleted file mode 100644
index 38969b8d51a3..000000000000
--- a/security/hpn-ssh/files/patch-stderr-after-eof.sh
+++ /dev/null
@@ -1,11 +0,0 @@
---- regress/stderr-after-eof.sh.orig Wed May 1 05:17:35 2002
-+++ regress/stderr-after-eof.sh Fri Jul 19 07:22:18 2002
-@@ -7,7 +7,7 @@
- DATA=${OBJ}/data
- COPY=${OBJ}/copy
-
--MD5=md5sum
-+MD5=md5
-
- # setup data
- rm -f ${DATA} ${COPY}
diff --git a/security/hpn-ssh/files/servconf.c.patch b/security/hpn-ssh/files/servconf.c.patch
deleted file mode 100644
index dde0a6947e60..000000000000
--- a/security/hpn-ssh/files/servconf.c.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- servconf.c.orig Sat Mar 23 11:02:41 2002
-+++ servconf.c Sat Mar 23 11:07:39 2002
-@@ -17,12 +17,12 @@
- #endif
- #if defined(KRB5)
- #ifdef HEIMDAL
--#include <krb.h>
-+#include <krb5.h>
- #else
- /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
- * keytab */
--#define KEYFILE "/etc/krb5.keytab"
- #endif
-+#define KEYFILE "/etc/krb5.keytab"
- #endif
- #ifdef AFS
- #include <kafs.h>
diff --git a/security/hpn-ssh/files/sshd.sh b/security/hpn-ssh/files/sshd.sh
deleted file mode 100644
index ba52de02fe7b..000000000000
--- a/security/hpn-ssh/files/sshd.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-case "$1" in
-start)
- __PREFIX__/sbin/sshd
- echo -n ' sshd'
- ;;
-stop)
- if [ -f /var/run/sshd.pid ]; then
- kill -TERM `cat /var/run/sshd.pid`
- rm -f /var/run/sshd.pid
- echo -n ' sshd'
- fi
- ;;
-restart)
- if [ -f /var/run/sshd.pid ]; then
- kill -HUP `cat /var/run/sshd.pid`
- echo 'sshd restarted'
- fi
- ;;
-*)
- echo "Usage: ${0##*/}: { start | stop | restart }" 2>&1
- exit 65
- ;;
-esac
diff --git a/security/hpn-ssh/pkg-comment b/security/hpn-ssh/pkg-comment
deleted file mode 100644
index d96c7bfa9b13..000000000000
--- a/security/hpn-ssh/pkg-comment
+++ /dev/null
@@ -1 +0,0 @@
-The portable version of OpenBSD's OpenSSH
diff --git a/security/hpn-ssh/pkg-descr b/security/hpn-ssh/pkg-descr
deleted file mode 100644
index 99ac07bfd209..000000000000
--- a/security/hpn-ssh/pkg-descr
+++ /dev/null
@@ -1,15 +0,0 @@
-OpenBSD's OpenSSH portable version
-
-Normal OpenSSH development produces a very small, secure, and easy to maintain
-version for the OpenBSD project. The OpenSSH Portability Team takes that pure
-version and adds portability code so that OpenSSH can run on many other
-operating systems (Unfortunately, in particular since OpenSSH does
-authentication, it runs into a *lot* of differences between Unix operating
-systems).
-
-The portable OpenSSH follows development of the official version, but releases
-are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
-The official OpenBSD source will never use the 'p' suffix, but will instead
-increment the version number when they hit 'stable spots' in their development.
-
-WWW: http://www.openssh.com/portable.html
diff --git a/security/hpn-ssh/pkg-message b/security/hpn-ssh/pkg-message
deleted file mode 100644
index b0908ddd4486..000000000000
--- a/security/hpn-ssh/pkg-message
+++ /dev/null
@@ -1,17 +0,0 @@
-To enable this port, please add sshd_program=/usr/local/sbin/sshd and make
-sure sshd_enable is set to YES in your /etc/rc.conf
-
-You may also want to put NO_OPENSSH= true in your /etc/make.conf
-and make sure your path is setup to /usr/local/bin before /usr/bin so that
-you are running the port version of openssh and not the version that comes
-with FreeBSD
-
-'PermitRootLogin no' is the new default for the OpenSSH port.
-This now matches the PermitRootLogin configuration of OpenSSH in
-the base system. Please be aware of this when upgrading your
-OpenSSH port, and if truly necessary, re-enable remote root login
-by readjusting this option in your sshd_config.
-
-Users are encouraged to create single-purpose users with ssh keys
-and very narrowly defined sudo privileges instead of using root
-for automated tasks.
diff --git a/security/hpn-ssh/pkg-plist b/security/hpn-ssh/pkg-plist
deleted file mode 100644
index a20e02c1426b..000000000000
--- a/security/hpn-ssh/pkg-plist
+++ /dev/null
@@ -1,38 +0,0 @@
-@comment slogin must be deleted first
-bin/slogin
-bin/scp
-bin/sftp
-bin/ssh
-bin/ssh-add
-bin/ssh-agent
-bin/ssh-keygen
-bin/ssh-keyscan
-%%NOTBASE%%etc/rc.d/sshd.sh.sample
-%%NOTBASE%%etc/ssh/moduli
-%%NOTBASE%%@exec [ -f %D/etc/ssh_config ] && [ ! -f %D/etc/ssh/ssh_config ] && ln %D/etc/ssh_config %D/etc/ssh/ssh_config
-%%NOTBASE%%@exec [ -f %D/etc/sshd_config ] && [ ! -f %D/etc/ssh/sshd_config ] && ln %D/etc/sshd_config %D/etc/ssh/sshd_config
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key ] && [ ! -f %D/etc/ssh/ssh_host_key ] && ln %D/etc/ssh_host_key %D/etc/ssh/ssh_host_key
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_key.pub ] && ln %D/etc/ssh_host_key.pub %D/etc/ssh/ssh_host_key.pub
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key ] && ln %D/etc/ssh_host_rsa_key %D/etc/ssh/ssh_host_rsa_key
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key.pub ] && ln %D/etc/ssh_host_rsa_key.pub %D/etc/ssh/ssh_host_rsa_key.pub
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key ] && ln %D/etc/ssh_host_dsa_key %D/etc/ssh/ssh_host_dsa_key
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key.pub ] && ln %D/etc/ssh_host_dsa_key.pub %D/etc/ssh/ssh_host_dsa_key.pub
-%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
-%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
-%%NOTBASE%%etc/ssh/ssh_config-dist
-%%NOTBASE%%etc/ssh/sshd_config-dist
-%%NOTBASE%%@exec [ ! -f %D/etc/ssh/ssh_config ] && cp %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config
-%%NOTBASE%%@exec [ ! -f %D/etc/ssh/sshd_config ] && cp %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config
-%%NOTBASE%%@dirrm etc/ssh
-sbin/sshd
-share/Ssh.bin
-libexec/sftp-server
-libexec/ssh-keysign
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_key ]; then echo ">> Generating a secret RSA1 host key."; %D/bin/ssh-keygen -t rsa1 -N "" -f %D/etc/ssh/ssh_host_key; fi
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_rsa_key ]; then echo ">> Generating a secret RSA host key."; %D/bin/ssh-keygen -t rsa -N "" -f %D/etc/ssh/ssh_host_rsa_key; fi
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_dsa_key ]; then echo ">> Generating a secret DSA host key."; %D/bin/ssh-keygen -t dsa -N "" -f %D/etc/ssh/ssh_host_dsa_key; fi
-%%NOTBASE%%@exec mkdir -p %D/empty
-%%NOTBASE%%@dirrm empty
-%%BASE%%@exec mkdir -p %%EMPTYDIR%%
-@exec if ! pw groupshow sshd 2>/dev/null; then pw groupadd sshd -g 22; fi
-@exec if ! pw usershow sshd 2>/dev/null; then pw useradd sshd -g sshd -u 22 -h - -d %%EMPTYDIR%% -s /nonexistent -c "sshd privilege separation"; fi