7 files changed, 461 insertions, 58 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index b814a5e0f244..7dc1c72c4c2d 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	openssh
 PORTVERSION=	3.1
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \
 		ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \
diff --git a/security/openssh/files/patch-auth1.c b/security/openssh/files/patch-auth1.c
new file mode 100644
index 000000000000..7be939c24a5a
--- /dev/null
+++ b/security/openssh/files/patch-auth1.c
@@ -0,0 +1,105 @@
+--- auth1.c.orig	Sun Feb  3 18:53:25 2002
++++ auth1.c	Sun Mar 17 20:14:40 2002
+@@ -75,6 +75,18 @@
+ 	u_int ulen;
+ 	int type = 0;
+ 	struct passwd *pw = authctxt->pw;
++#ifdef HAVE_LOGIN_CAP
++	login_cap_t *lc;
++#endif
++#ifdef USE_PAM
++	struct inverted_pam_cookie *pam_cookie;
++#endif /* USE_PAM */
++#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
++	const char *from_host, *from_ip;
++
++	from_host = get_canonical_hostname(options.verify_reverse_mapping);
++	from_ip = get_remote_ipaddr();
++#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+ 
+ 	debug("Attempting authentication for %s%.100s.",
+ 	    authctxt->valid ? "" : "illegal user ", authctxt->user);
+@@ -84,7 +96,11 @@
+ #if defined(KRB4) || defined(KRB5)
+ 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
+ #endif
++#ifdef USE_PAM
++	    auth_pam_password(authctxt, "")
++#else
+ 	    auth_password(authctxt, "")) {
++#endif
+ 		auth_log(authctxt, 1, "without authentication", "");
+ 		return;
+ 	}
+@@ -94,6 +110,8 @@
+ 	packet_send();
+ 	packet_write_wait();
+ 
++	client_user = NULL;
++
+ 	for (;;) {
+ 		/* default to fail */
+ 		authenticated = 0;
+@@ -284,6 +302,34 @@
+ 			log("Unknown message during authentication: type %d", type);
+ 			break;
+ 		}
++
++#ifdef HAVE_LOGIN_CAP
++		if (pw != NULL) {
++		  lc = login_getpwclass(pw);
++		  if (lc == NULL)
++			lc = login_getclassbyname(NULL, pw);
++		  if (!auth_hostok(lc, from_host, from_ip)) {
++			log("Denied connection for %.200s from %.200s [%.200s].",
++		      pw->pw_name, from_host, from_ip);
++			packet_disconnect("Sorry, you are not allowed to connect.");
++		  }
++		  if (!auth_timeok(lc, time(NULL))) {
++			log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++		      pw->pw_name, from_host);
++			packet_disconnect("Logins not available right now.");
++		  }
++		  login_close(lc);
++		  lc = NULL;
++		}
++#endif  /* HAVE_LOGIN_CAP */
++#ifdef LOGIN_ACCESS
++		if (pw != NULL && !login_access(pw->pw_name, from_host)) {
++		  log("Denied connection for %.200s from %.200s [%.200s].",
++		      pw->pw_name, from_host, from_ip);
++		  packet_disconnect("Sorry, you are not allowed to connect.");
++		}
++#endif /* LOGIN_ACCESS */
++
+ #ifdef BSD_AUTH
+ 		if (authctxt->as) {
+ 			auth_close(authctxt->as);
+@@ -302,6 +348,15 @@
+ 		/* Log before sending the reply */
+ 		auth_log(authctxt, authenticated, get_authname(type), info);
+ 
++#ifdef USE_PAM
++		if (authenticated && !do_pam_account(pw->pw_name, client_user))
++			authenticated = 0;
++#endif
++		if (client_user != NULL) {
++			xfree(client_user);
++			client_user = NULL;
++		}
++
+ 		if (authenticated)
+ 			return;
+ 
+@@ -354,6 +409,11 @@
+ 		pw = NULL;
+ 	}
+ 	authctxt->pw = pw;
++
++#ifdef USE_PAM
++	if (pw != NULL)
++		start_pam(pw);
++#endif
+ 
+ 	setproctitle("%s", pw ? user : "unknown");
+ 
diff --git a/security/openssh/files/patch-auth2.c b/security/openssh/files/patch-auth2.c
new file mode 100644
index 000000000000..a7134d573432
--- /dev/null
+++ b/security/openssh/files/patch-auth2.c
@@ -0,0 +1,98 @@
+--- auth2.c.orig	Sun Feb 24 20:14:59 2002
++++ auth2.c	Sun Mar 17 20:15:23 2002
+@@ -166,6 +166,15 @@
+ 	Authmethod *m = NULL;
+ 	char *user, *service, *method, *style = NULL;
+ 	int authenticated = 0;
++#ifdef HAVE_LOGIN_CAP
++	login_cap_t *lc;
++#endif /* HAVE_LOGIN_CAP */
++#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
++	const char *from_host, *from_ip;
++
++	from_host = get_canonical_hostname(options.verify_reverse_mapping);
++	from_ip = get_remote_ipaddr();
++#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+ 
+ 	if (authctxt == NULL)
+ 		fatal("input_userauth_request: no authctxt");
+@@ -187,6 +196,11 @@
+ 			authctxt->pw = pwcopy(pw);
+ 			authctxt->valid = 1;
+ 			debug2("input_userauth_request: setting up authctxt for %s", user);
++
++#ifdef USE_PAM
++			start_pam(pw);
++#endif
++
+ 		} else {
+ 			log("input_userauth_request: illegal user %s", user);
+ 		}
+@@ -200,6 +214,41 @@
+ 		    "(%s,%s) -> (%s,%s)",
+ 		    authctxt->user, authctxt->service, user, service);
+ 	}
++
++#ifdef HAVE_LOGIN_CAP
++	if (authctxt->pw != NULL) {
++		lc = login_getpwclass(authctxt->pw);
++		if (lc == NULL)
++			lc = login_getclassbyname(NULL, authctxt->pw);
++		if (!auth_hostok(lc, from_host, from_ip)) {
++			log("Denied connection for %.200s from %.200s [%.200s].",
++			    authctxt->pw->pw_name, from_host, from_ip);
++			packet_disconnect("Sorry, you are not allowed to connect.");
++		}
++		if (!auth_timeok(lc, time(NULL))) {
++			log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++			    authctxt->pw->pw_name, from_host);
++			packet_disconnect("Logins not available right now.");
++		}
++		login_close(lc);
++		lc = NULL;
++	}
++#endif  /* HAVE_LOGIN_CAP */
++#ifdef LOGIN_ACCESS
++	if (authctxt->pw != NULL &&
++	    !login_access(authctxt->pw->pw_name, from_host)) {
++		log("Denied connection for %.200s from %.200s [%.200s].",
++		    authctxt->pw->pw_name, from_host, from_ip);
++		packet_disconnect("Sorry, you are not allowed to connect.");
++	}
++#endif /* LOGIN_ACCESS */
++#ifdef BSD_AUTH
++	if (authctxt->as) {
++		auth_close(authctxt->as);
++		authctxt->as = NULL;
++	}
++#endif
++
+ 	/* reset state */
+ 	auth2_challenge_stop(authctxt);
+ 	authctxt->postponed = 0;
+@@ -210,6 +259,12 @@
+ 		debug2("input_userauth_request: try method %s", method);
+ 		authenticated =	m->userauth(authctxt);
+ 	}
++
++#ifdef USE_PAM
++	if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
++		authenticated = 0;
++#endif /* USE_PAM */
++
+ 	userauth_finish(authctxt, authenticated, method);
+ 
+ 	xfree(service);
+@@ -299,7 +354,12 @@
+ 		m->enabled = NULL;
+ 	packet_check_eom();
+ 	userauth_banner();
++
++#ifdef USE_PAM
++	return authctxt->valid ? auth_pam_password(authctxt, "") : 0;
++#else /* !USE_PAM */
+ 	return authctxt->valid ? auth_password(authctxt, "") : 0;
++#endif /* USE_PAM */
+ }
+ 
+ static int
diff --git a/security/openssh/files/patch-session.c b/security/openssh/files/patch-session.c
index abb20c8ac770..c2501dd0f071 100644
--- a/security/openssh/files/patch-session.c
+++ b/security/openssh/files/patch-session.c
@@ -1,6 +1,6 @@
---- session.c.orig	Fri Mar  8 06:11:56 2002
-+++ session.c	Fri Mar  8 06:15:32 2002
-@@ -57,6 +57,12 @@
+--- session.c.orig	Sun Mar 17 20:08:51 2002
++++ session.c	Sun Mar 17 20:22:06 2002
+@@ -57,6 +57,13 @@
  #include "canohost.h"
  #include "session.h"
  
@@ -8,12 +8,24 @@
 +#include <libutil.h>
 +#include <syslog.h>
 +#include <time.h>
++#define _PATH_CHPASS "/usr/bin/passwd"
 +#endif /* __FreeBSD__ */
 +
  /* types */
  
  #define TTYSZ 64
-@@ -394,6 +400,13 @@
+@@ -386,6 +393,10 @@
+ 	if (s == NULL)
+ 		fatal("do_exec_no_pty: no session");
+ 
++#ifdef USE_PAM
++	do_pam_setcred();
++#endif /* USE_PAM */
++
+ 	session_proctitle(s);
+ 
+ 	/* Fork the child. */
+@@ -394,6 +405,13 @@
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
  		/*
@@ -27,7 +39,17 @@
  		 * Create a new session and process group since the 4.4BSD
  		 * setlogin() affects the entire process group.
  		 */
-@@ -499,6 +512,14 @@
+@@ -494,11 +512,24 @@
+ 	ptyfd = s->ptyfd;
+ 	ttyfd = s->ttyfd;
+ 
++#ifdef USE_PAM
++	do_pam_session(s->pw->pw_name, s->tty);
++	do_pam_setcred();
++#endif /* USE_PAM */
++
+ 	/* Fork the child. */
+ 	if ((pid = fork()) == 0) {
  
  		/* Child.  Reinitialize the log because the pid has changed. */
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -42,7 +64,14 @@
  		/* Close the master side of the pseudo tty. */
  		close(ptyfd);
  
-@@ -589,6 +610,11 @@
+@@ -583,12 +614,23 @@
+ do_login(Session *s, const char *command)
+ {
+ 	char *time_string;
++	char *newcommand;
+ 	char hostname[MAXHOSTNAMELEN];
+ 	socklen_t fromlen;
+ 	struct sockaddr_storage from;
  	time_t last_login_time;
  	struct passwd * pw = s->pw;
  	pid_t pid = getpid();
@@ -51,15 +80,116 @@
 +	char buf[256];
 +	char *fname;
 +#endif /* HAVE_LOGIN_CAP */
++#ifdef __FreeBSD__
++#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
++	struct timeval tv;
++	time_t warntime = DEFAULT_WARN;
++#endif /* __FreeBSD__ */
  
  	/*
  	 * Get IP address of client. If the connection is not a socket, let
-@@ -629,6 +655,21 @@
+@@ -616,10 +658,92 @@
+ 	    get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+ 	    (struct sockaddr *)&from);
+ 
++#ifdef USE_PAM
++	/*
++	 * If password change is needed, do it now.
++	 * This needs to occur before the ~/.hushlogin check.
++	 */
++	if (pam_password_change_required()) {
++		print_pam_messages();
++		do_pam_chauthtok();
++	}
++#endif
++
++#ifdef USE_PAM
++	if (!check_quietlogin(s, command) && !pam_password_change_required())
++		print_pam_messages();
++#endif /* USE_PAM */
++#ifdef __FreeBSD__
++	if (pw->pw_change || pw->pw_expire)
++		(void)gettimeofday(&tv, NULL);
++#ifdef HAVE_LOGIN_CAP
++	warntime = login_getcaptime(lc, "warnpassword",
++				    DEFAULT_WARN, DEFAULT_WARN);
++#endif /* HAVE_LOGIN_CAP */
++	/*
++	 * If the password change time is set and has passed, give the
++	 * user a password expiry notice and chance to change it.
++	 */
++	if (pw->pw_change != 0) {
++		if (tv.tv_sec >= pw->pw_change) {
++			(void)printf(
++			    "Sorry -- your password has expired.\n");
++			log("%s Password expired - forcing change",
++			    pw->pw_name);
++			if (newcommand != NULL)
++				xfree(newcommand);
++			newcommand = xstrdup(_PATH_CHPASS);
++		} else if (pw->pw_change - tv.tv_sec < warntime &&
++			   !check_quietlogin(s, command))
++			(void)printf(
++			    "Warning: your password expires on %s",
++			     ctime(&pw->pw_change));
++	}
++#ifndef USE_PAM
++	if (pw->pw_expire) {
++		if (tv.tv_sec >= pw->pw_expire) {
++			(void)printf(
++			    "Sorry -- your account has expired.\n");
++			log(
++	   "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
++				pw->pw_name, get_remote_name_or_ip(utmp_len,
++				options.verify_reverse_mapping), s->tty);
++			exit(254);
++		} else if (pw->pw_expire - tv.tv_sec < warntime &&
++			   !check_quietlogin(s, command))
++			(void)printf(
++			    "Warning: your account expires on %s",
++			     ctime(&pw->pw_expire));
++	}
++#endif /* !USE_PAM */
++#endif /* __FreeBSD__ */
++
++#ifdef HAVE_LOGIN_CAP
++	if (!auth_ttyok(lc, s->tty)) {
++		(void)printf("Permission denied.\n");
++		log(
++	       "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
++		    pw->pw_name, get_remote_name_or_ip(utmp_len,
++			options.verify_reverse_mapping), s->tty);
++		exit(254);
++	}
++#endif /* HAVE_LOGIN_CAP */
++
+ 	if (check_quietlogin(s, command))
+ 		return;
+ 
+-	if (options.print_lastlog && last_login_time != 0) {
++	/*
++	 * If the user has logged in before, display the time of last
++	 * login. However, don't display anything extra if a command
++	 * has been specified (so that ssh can be used to execute
++	 * commands on a remote machine without users knowing they
++	 * are going to another machine). Login(1) will do this for
++	 * us as well, so check if login(1) is used
++	 */
++	if (command == NULL && options.print_lastlog &&
++	    last_login_time != 0 &&
++	    !options.use_login) {
++
+ 		time_string = ctime(&last_login_time);
+ 		if (strchr(time_string, '\n'))
+ 			*strchr(time_string, '\n') = 0;
+@@ -629,7 +753,30 @@
  			printf("Last login: %s from %s\r\n", time_string, hostname);
  	}
  
+-	do_motd();
 +#ifdef HAVE_LOGIN_CAP
-+	if (!options.use_login) {
++	if (command == NULL &&
++	    !options.use_login) {
 +		fname = login_getcapstr(lc, "copyright", NULL, NULL);
 +		if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
 +			while (fgets(buf, sizeof(buf), f) != NULL)
@@ -73,10 +203,43 @@
 +	}
 +#endif /* HAVE_LOGIN_CAP */
 +
- 	do_motd();
++	/*
++	 * Print /etc/motd unless a command was specified or printing
++	 * it was disabled in server options or login(1) will be
++	 * used.  Note that some machines appear to print it in
++	 * /etc/profile or similar.
++	 */
++	if (command == NULL && !options.use_login)
++		do_motd();
  }
  
-@@ -775,6 +816,10 @@
+ /*
+@@ -645,9 +792,9 @@
+ #ifdef HAVE_LOGIN_CAP
+ 		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
+ 		    "/etc/motd"), "r");
+-#else
++#else /* !HAVE_LOGIN_CAP */
+ 		f = fopen("/etc/motd", "r");
+-#endif
++#endif /* HAVE_LOGIN_CAP */
+ 		if (f) {
+ 			while (fgets(buf, sizeof(buf), f))
+ 				fputs(buf, stdout);
+@@ -674,10 +821,10 @@
+ #ifdef HAVE_LOGIN_CAP
+ 	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
+ 		return 1;
+-#else
++#else /* HAVE_LOGIN_CAP */
+ 	if (stat(buf, &st) >= 0)
+ 		return 1;
+-#endif
++#endif /* HAVE_LOGIN_CAP */
+ 	return 0;
+ }
+ 
+@@ -775,6 +922,10 @@
  	env[0] = NULL;
  
  	if (!options.use_login) {
@@ -87,34 +250,74 @@
  		/* Set basic environment. */
  		child_set_env(&env, &envsize, "USER", pw->pw_name);
  		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
-@@ -782,6 +827,12 @@
+@@ -782,9 +933,15 @@
  #ifdef HAVE_LOGIN_CAP
  		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH);
  		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+-#else
 +		var= login_getcapstr(lc, "lang", NULL, NULL);
 +		if ( var ) child_set_env(&env, &envsize, "LANG", var);
 +		var= login_getcapstr(lc, "charset", NULL, NULL);
 +		if ( var ) child_set_env(&env, &envsize, "MM_CHARSET", var);
 +		var= login_getcapstr(lc, "timezone", NULL, NULL);
 +		if ( var ) child_set_env(&env, &envsize, "TZ", var);
- #else
++#else /* !HAVE_LOGIN_CAP */
  		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
- #endif
-@@ -793,8 +844,13 @@
- 		/* Normal systems set SHELL by default. */
- 		child_set_env(&env, &envsize, "SHELL", shell);
- 	}
-+#ifdef HAVE_LOGIN_CAP
-+#else /* HAVE_LOGIN_CAP */
-+               if (getenv("TZ"))
-+                       child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- 	if (getenv("TZ"))
- 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+-#endif
 +#endif /* HAVE_LOGIN_CAP */
  
- 	/* Set custom environment options from RSA authentication. */
- 	if (!options.use_login) {
-@@ -1057,7 +1113,7 @@
+ 		snprintf(buf, sizeof buf, "%.200s/%.50s",
+ 			 _PATH_MAILDIR, pw->pw_name);
+@@ -837,6 +994,11 @@
+ 		child_set_env(&env, &envsize, "KRB5CCNAME",
+ 		    s->authctxt->krb5_ticket_file);
+ #endif
++#ifdef USE_PAM
++	/* Pull in any environment variables that may have been set by PAM. */
++	do_pam_environment(&env, &envsize);
++#endif /* USE_PAM */
++
+ 	if (auth_get_socket_name() != NULL)
+ 		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
+ 		    auth_get_socket_name());
+@@ -979,6 +1141,36 @@
+ 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+ }
+ 
++#ifdef USE_PAM
++/*
++ * Sets any environment variables which have been specified by PAM
++ */
++void do_pam_environment(char ***env, int *envsize)
++{
++	char *equals, var_name[512], var_val[512];
++	char **pam_env;
++	int i;
++
++	if ((pam_env = fetch_pam_environment()) == NULL)
++		return;
++	
++	for(i = 0; pam_env[i] != NULL; i++) {
++		if ((equals = strstr(pam_env[i], "=")) == NULL)
++			continue;
++			
++		if (strlen(pam_env[i]) < (sizeof(var_name) - 1)) {
++			memset(var_name, '\0', sizeof(var_name));
++			memset(var_val, '\0', sizeof(var_val));
++
++			strncpy(var_name, pam_env[i], equals - pam_env[i]);
++			strcpy(var_val, equals + 1);
++
++			child_set_env(env, envsize, var_name, var_val);
++		}
++	}
++}
++#endif /* USE_PAM */
++
+ /*
+  * Performs common processing for the child, such as setting up the
+  * environment, closing extra file descriptors, setting the user and group
+@@ -1057,7 +1249,7 @@
  	 * initgroups, because at least on Solaris 2.3 it leaves file
  	 * descriptors open.
  	 */
@@ -123,7 +326,7 @@
  		close(i);
  
  	/*
-@@ -1087,6 +1143,31 @@
+@@ -1087,6 +1279,31 @@
  			exit(1);
  #endif
  	}
diff --git a/security/openssh/files/patch-ssh-Makefile b/security/openssh/files/patch-ssh-Makefile
index 6971b0cfacf1..d988af43f124 100644
--- a/security/openssh/files/patch-ssh-Makefile
+++ b/security/openssh/files/patch-ssh-Makefile
@@ -1,5 +1,5 @@
---- ssh/Makefile.orig	Tue Sep 11 00:44:47 2001
-+++ ssh/Makefile	Wed Oct  3 13:54:47 2001
+--- ssh/Makefile.orig	Tue Mar  5 01:49:51 2002
++++ ssh/Makefile	Sun Mar 17 14:58:13 2002
 @@ -7,8 +7,8 @@
  
  BINMODE?=4555
@@ -34,7 +34,7 @@
  
  .include <bsd.prog.mk>
  
--LDADD+=	-lcrypto -lz
+-LDADD+=	-lcrypto -lz -ldes
 -DPADD+=	${LIBCRYPTO} ${LIBZ}
 +LDADD+= ${CRYPTOLIBS} -lcrypt -lutil -lz
 +DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ}
diff --git a/security/openssh/files/patch-ssh-keyscan-Makefile b/security/openssh/files/patch-ssh-keyscan-Makefile
index d31653ac8736..5a4f3d6388e8 100644
--- a/security/openssh/files/patch-ssh-keyscan-Makefile
+++ b/security/openssh/files/patch-ssh-keyscan-Makefile
@@ -1,5 +1,5 @@
---- ssh-keyscan/Makefile.orig	Sun Mar  4 08:59:39 2001
-+++ ssh-keyscan/Makefile	Thu Jul 12 18:57:39 2001
+--- ssh-keyscan/Makefile.orig	Mon Aug  6 01:18:20 2001
++++ ssh-keyscan/Makefile	Sun Mar 17 14:58:13 2002
 @@ -7,12 +7,13 @@
  
  BINMODE?=555
@@ -14,6 +14,6 @@
  .include <bsd.prog.mk>
 +.include "Makefile.inc"
  
--LDADD+=	-lcrypto
+-LDADD+= -lcrypto -lz
 +LDADD+=	${CRYPTOLIBS} -lutil -lz
- DPADD+=	${LIBCRYPTO}
+ DPADD+= ${LIBCRYPTO} ${LIBZ}
diff --git a/security/openssh/files/sshd.sh b/security/openssh/files/sshd.sh
index 74798cff8d6f..ba52de02fe7b 100644
--- a/security/openssh/files/sshd.sh
+++ b/security/openssh/files/sshd.sh
@@ -1,27 +1,24 @@
 #!/bin/sh
 case "$1" in
-	start)
-		__PREFIX__/sbin/sshd
+start)
+	__PREFIX__/sbin/sshd
+	echo -n ' sshd'
+	;;
+stop)
+	if [ -f /var/run/sshd.pid ]; then
+		kill -TERM `cat /var/run/sshd.pid`
+		rm -f /var/run/sshd.pid
 		echo -n ' sshd'
-		;;
-	stop)
-		if [ -f /var/run/sshd.pid ]; then
-			kill -TERM `cat /var/run/sshd.pid`
-			rm -f /var/run/sshd.pid
-			echo -n ' sshd'
-		fi
-		;;
-	restart)
-		if [ -f /var/run/sshd.pid ]; then
-			kill -HUP `cat /var/run/sshd.pid`
-			echo 'sshd restarted'
-		fi
-		;;
-	-h)
-		echo "Usage: `basename $0` { start | stop | restart }"
-		;;
-	*)
-		__PREFIX__/sbin/sshd
-		echo -n ' sshd'
-		;;
+	fi
+	;;
+restart)
+	if [ -f /var/run/sshd.pid ]; then
+		kill -HUP `cat /var/run/sshd.pid`
+		echo 'sshd restarted'
+	fi
+	;;
+*)
+	echo "Usage: ${0##*/}: { start | stop | restart }" 2>&1
+	exit 65
+	;;
 esac