Update to 7.4p1.

- Update X509 patch to 9.3 - SCTP patch from soralx@cydem.org Changes: https://www.openssh.com/txt/release-7.4
author: Bryan Drewery <bdrewery@FreeBSD.org> 2017-01-16 19:30:31 +0000
committer: Bryan Drewery <bdrewery@FreeBSD.org> 2017-01-16 19:30:31 +0000
commit: 8da82fad61c6b94602430f04e987ffaf1ca90a5f (patch)
tree: 10555beba9bd193e2b56e1f8e413b3abb7242681
parent: www/tinyproxy: MAINTAINER back to sunpoet@ (diff)
16 files changed, 264 insertions, 390 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index a79e0decfbf2..4c0cc65e122a 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	7.3p1
-PORTREVISION=	5
+DISTVERSION=	7.4p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -60,15 +60,15 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		9.0
+X509_VERSION=		9.3
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES=	${PORTNAME}-7.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-x509-glue
+X509_PATCHFILES=	${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
 #SCTP_PATCHFILES=	${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
 SCTP_CONFIGURE_WITH=	sctp
-#SCTP_BROKEN=		does not apply to 7.3+
 SCTP_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-sctp:-p1
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:security/krb5
@@ -94,8 +94,8 @@ EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI}
-# 7.3 patch taken from
-# http://sources.debian.net/data/main/o/openssh/1:7.1p2-2/debian/patches/gssapi.patch
+# Patch from:
+# http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
 # which was originally based on 5.7 patch from
 # http://www.sxw.org.uk/computing/patches/
 # It is mirrored simply to apply gzip -9.
@@ -103,7 +103,7 @@ EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
-PATCHFILES+=	openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz:-p1:gsskex
+PATCHFILES+=	openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex
 .endif
 
 # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 73d7fe5a4473..d634e474f732 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,9 +1,9 @@
-TIMESTAMP = 1470675521
-SHA256 (openssh-7.3p1.tar.gz) = 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
-SIZE (openssh-7.3p1.tar.gz) = 1522617
+TIMESTAMP = 1484161900
+SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1
+SIZE (openssh-7.4p1.tar.gz) = 1511780
 SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
 SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.3p1+x509-9.0.diff.gz) = ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900
-SIZE (openssh-7.3p1+x509-9.0.diff.gz) = 571918
-SHA256 (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 83698da23a7d4dd24be9bc15ea7e801890dfc9303815135552c8ddfd158f1a95
-SIZE (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 26818
+SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee
+SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572
+SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
+SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index db3eaa7d89c4..d99575c65ede 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -695,7 +695,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  #define	atime	tv[0]
 --- work/openssh/servconf.c.orig	2015-05-29 03:27:21.000000000 -0500
 +++ work/openssh/servconf.c	2015-06-02 09:56:36.041601000 -0500
-@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions 
+@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions 
  	options->authorized_principals_file = NULL;
  	options->authorized_principals_command = NULL;
  	options->authorized_principals_command_user = NULL;
@@ -710,7 +710,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->version_addendum = NULL;
-@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption
+@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption
  	}
  	if (options->permit_tun == -1)
  		options->permit_tun = SSH_TUNMODE_NO;
@@ -768,7 +768,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	if (options->ip_qos_interactive == -1)
  		options->ip_qos_interactive = IPTOS_LOWDELAY;
  	if (options->ip_qos_bulk == -1)
-@@ -406,6 +465,12 @@ typedef enum {
+@@ -412,6 +471,12 @@ typedef enum {
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
  	sHostCertificate,
  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@@ -781,7 +781,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
  	sKexAlgorithms, sIPQoS, sVersionAddendum,
  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-@@ -537,6 +602,14 @@ static struct {
+@@ -548,6 +613,14 @@ static struct {
  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@@ -796,7 +796,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
  	{ "ipqos", sIPQoS, SSHCFG_ALL },
  	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions
+@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions
  		intptr = &options->ignore_user_known_hosts;
  		goto parse_flag;
  
@@ -819,8 +819,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		goto parse_int;
 +#endif
 +
- 	case sRhostsRSAAuthentication:
- 		intptr = &options->rhosts_rsa_authentication;
+ 	case sHostbasedAuthentication:
+ 		intptr = &options->hostbased_authentication;
  		goto parse_flag;
 --- work.clean/openssh-6.8p1/servconf.h	2015-03-17 00:49:20.000000000 -0500
 +++ work/openssh-6.8p1/servconf.h	2015-04-03 13:48:37.316827000 -0500
@@ -842,7 +842,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	int	num_permitted_opens;
 --- work.clean/openssh-6.8p1/serverloop.c	2015-03-17 00:49:20.000000000 -0500
 +++ work/openssh-6.8p1/serverloop.c	2015-04-03 17:14:15.182548000 -0500
-@@ -1051,6 +1051,12 @@
+@@ -526,6 +526,12 @@ server_request_tun(void)
  	sock = tun_open(tun, mode);
  	if (sock < 0)
  		goto done;
@@ -855,7 +855,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
  	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
  	c->datagram = 1;
-@@ -1088,6 +1094,10 @@
+@@ -563,6 +569,10 @@ server_request_session(void)
  	c = channel_new("session", SSH_CHANNEL_LARVAL,
  	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
  	    0, "server-session", 1);
@@ -1101,7 +1101,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	    strlen(client_version_string)) != strlen(client_version_string))
 --- work.clean/openssh-7.2p1/sshconnect2.c.orig	2016-02-25 19:40:04.000000000 -0800
 +++ work.clean/openssh-7.2p1/sshconnect2.c	2016-02-29 08:06:31.134954000 -0800
-@@ -80,6 +80,14 @@
+@@ -81,6 +81,14 @@
  extern char *client_version_string;
  extern char *server_version_string;
  extern Options options;
@@ -1116,7 +1116,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  /*
   * SSH2 key exchange
-@@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc
+@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc
  	return ret;
  }
  
@@ -1145,10 +1145,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  }
  
  /*
-@@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co
- 	pubkey_cleanup(&authctxt);
- 	ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co
  
+ 	if (!authctxt.success)
+ 		fatal("Authentication failed.");
 +#ifdef NONE_CIPHER_ENABLED
 +	/*
 +	 * if the user wants to use the none cipher do it
@@ -1177,13 +1177,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
 --- work.clean/openssh-7.1p1/sshd.c.orig	2015-08-20 21:49:03.000000000 -0700
 +++ work.clean/openssh-7.1p1/sshd.c	2015-11-11 12:45:48.202186000 -0800
-@@ -431,8 +431,13 @@ sshd_exchange_identification(int sock_in
- 		minor = PROTOCOL_MINOR_1;
- 	}
+@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh 
+ 	char buf[256];			/* Must not be larger than remote_version. */
+ 	char remote_version[256];	/* Must be at least as big as buf. */
  
 -	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
 +	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
- 	    major, minor, SSH_VERSION,
+ 	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +#ifdef HPN_ENABLED
 +	    options.hpn_disabled ? "" : SSH_HPN,
 +#else
@@ -1192,7 +1192,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	    *options.version_addendum == '\0' ? "" : " ",
  	    options.version_addendum, newline);
  
-@@ -1155,6 +1160,10 @@ server_listen(void)
+@@ -1027,6 +1032,10 @@ server_listen(void)
  	int ret, listen_sock, on = 1;
  	struct addrinfo *ai;
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1203,7 +1203,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1195,6 +1204,13 @@ server_listen(void)
+@@ -1067,6 +1076,13 @@ server_listen(void)
  
  		debug("Bind to port %s on %s.", strport, ntop);
  
@@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
  			error("Bind to port %s on %s failed: %.200s.",
-@@ -1693,6 +1709,15 @@ main(int ac, char **av)
+@@ -1591,6 +1607,15 @@ main(int ac, char **av)
  	/* Fill in default values for those options not explicitly set. */
  	fill_default_server_options(&options);
  
@@ -1233,9 +1233,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	/* challenge-response is implemented via keyboard interactive */
  	if (options.challenge_response_authentication)
  		options.kbd_interactive_authentication = 1;
-@@ -2123,6 +2148,11 @@ main(int ac, char **av)
- 		cleanup_exit(255);
+@@ -2085,6 +2110,11 @@ main(int ac, char **av)
  	}
+ #endif
  
 +#ifdef HPN_ENABLED
 +	/* set the HPN options for the child */
@@ -1243,9 +1243,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
  	/*
- 	 * We use get_canonical_hostname with usedns = 0 instead of
- 	 * get_remote_ipaddr here so IP options will be checked.
-@@ -2539,6 +2569,11 @@ do_ssh2_kex(void)
+ 	 * In privilege separation, we fork another child and prepare
+ 	 * file descriptor passing.
+@@ -2163,6 +2193,11 @@ do_ssh2_kex(void)
  	struct kex *kex;
  	int r;
  
@@ -1259,7 +1259,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
 --- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
 +++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500
-@@ -127,6 +127,20 @@
+@@ -111,6 +111,20 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # override default of no subsystems
  Subsystem	sftp	/usr/libexec/sftp-server
  
diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns
index 7bd369a84444..2d06f100c0c0 100644
--- a/security/openssh-portable/files/extra-patch-ldns
+++ b/security/openssh-portable/files/extra-patch-ldns
@@ -35,17 +35,17 @@ be verified, OpenSSH will print a message and prompt the user as usual.
 +#   VerifyHostKeyDNS yes
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  #   RekeyLimit 1G 1h
---- ssh_config.5.orig	2016-02-25 19:40:04.000000000 -0800
-+++ ssh_config.5	2016-02-29 07:57:41.763889000 -0800
-@@ -1715,7 +1715,10 @@
- or
- .Dq ask .
+--- ssh_config.5.orig	2016-12-18 20:59:41.000000000 -0800
++++ ssh_config.5	2017-01-11 11:24:25.573200000 -0800
+@@ -1635,7 +1635,10 @@ need to confirm new host keys according 
+ .Cm StrictHostKeyChecking
+ option.
  The default is
--.Dq no .
-+.Dq yes
+-.Cm no .
++.Cm yes
 +if compiled with LDNS and
-+.Dq no
++.Cm no
 +otherwise.
  .Pp
- See also VERIFYING HOST KEYS in
- .Xr ssh 1 .
+ See also
+ .Sx VERIFYING HOST KEYS
diff --git a/security/openssh-portable/files/extra-patch-sctp b/security/openssh-portable/files/extra-patch-sctp
index 0d20b03b8953..f0b5297e184c 100644
--- a/security/openssh-portable/files/extra-patch-sctp
+++ b/security/openssh-portable/files/extra-patch-sctp
@@ -278,9 +278,9 @@ index b19d30e..14b0a0f 100644
  	options->macs = NULL;
  	options->kex_algorithms = NULL;
 +	options->transport = -1;
- 	options->protocol = SSH_PROTO_UNKNOWN;
  	options->fwd_opts.gateway_ports = -1;
  	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
+ 	options->fwd_opts.streamlocal_bind_unlink = -1;
 @@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
  		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
  	if (options->allow_agent_forwarding == -1)
@@ -438,9 +438,9 @@ index b19d30e..14b0a0f 100644
 +			    filename, linenum);
 +		break;
 +
- 	case sProtocol:
- 		intptr = &options->protocol;
- 		arg = strdelim(&cp);
+ 	case sSubsystem:
+ 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
+ 			fatal("%s line %d: too many subsystems defined.",
 @@ -1992,6 +2111,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
  	M_CP_INTOPT(allow_streamlocal_forwarding);
  	M_CP_INTOPT(allow_agent_forwarding);
@@ -482,9 +482,9 @@ index f4137af..63a0637 100644
  	char   *macs;		/* Supported SSH2 macs. */
  	char   *kex_algorithms;	/* SSH2 kex methods in order of preference. */
 +	int transport;	/* Transport protocol(s) used */
- 	int	protocol;	/* Supported protocol versions. */
  	struct ForwardOptions fwd_opts;	/* forwarding options */
  	SyslogFacility log_facility;	/* Facility for system logging. */
+ 	LogLevel log_level;<--->/* Level for system logging. */
 diff --git a/ssh.1 b/ssh.1
 index cc53343..b1a45e8 100644
 --- a/ssh.1
@@ -566,7 +566,7 @@ index caf13a6..a088f30 100644
 @@ -1597,6 +1597,12 @@ This is important in scripts, and many users want it too.
  .Pp
  To disable TCP keepalive messages, the value should be set to
- .Dq no .
+ .Cm no .
 +.It Cm Transport
 +Specifies the transport protocol while connecting. Valid values are
 +.Dq TCP
@@ -686,9 +686,9 @@ index 430569c..4ca58ed 100644
 +#include <netinet/sctp.h>
 +#endif
 +
- #ifndef O_NOCTTY
- #define O_NOCTTY	0
- #endif
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
 @@ -1164,6 +1168,12 @@ server_listen(void)
  	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -853,7 +853,7 @@ index a37a3ac..24e3826 100644
 @@ -1508,6 +1508,17 @@ This avoids infinitely hanging sessions.
  .Pp
  To disable TCP keepalive messages, the value should be set to
- .Dq no .
+ .Cm no .
 +.It Cm Transport
 +Specifies the transport protocol that should be used by
 +.Xr sshd 8 .
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
index ad495d433383..14a0452bdefa 100644
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -43,9 +43,9 @@ index 0ade557..045f149 100644
  /*
   * Author: Tatu Ylonen <ylo@cs.hut.fi>
   * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -122,6 +122,13 @@
- #include "ssh-sandbox.h"
+@@ -123,6 +123,13 @@
  #include "version.h"
+ #include "ssherr.h"
  
 +#ifdef LIBWRAP
 +#include <tcpd.h>
@@ -54,10 +54,10 @@ index 0ade557..045f149 100644
 +int deny_severity;
 +#endif /* LIBWRAP */
 +
- #ifndef O_NOCTTY
- #define O_NOCTTY	0
- #endif
-@@ -2027,6 +2034,24 @@ main(int ac, char **av)
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
+@@ -1971,6 +1978,24 @@ main(int ac, char **av)
  #ifdef SSH_AUDIT_EVENTS
  	audit_connection_from(remote_ip, remote_port);
  #endif
@@ -81,7 +81,7 @@ index 0ade557..045f149 100644
 +#endif /* LIBWRAP */
  
  	/* Log the connection. */
- 	verbose("Connection from %s port %d on %s port %d",
+ 	laddr = get_local_ipaddr(sock_in);
 diff --git configure.ac configure.ac
 index f48ba4a..66fbe82 100644
 --- configure.ac
diff --git a/security/openssh-portable/files/extra-patch-x509-glue b/security/openssh-portable/files/extra-patch-x509-glue
new file mode 100644
index 000000000000..fe9cbd9d3ec4
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-x509-glue
@@ -0,0 +1,39 @@
+--- session.c.orig	2017-01-12 11:58:30.754769000 -0800
++++ session.c	2017-01-12 11:58:35.360654000 -0800
+@@ -1252,36 +1252,6 @@ do_setup_env(Session *s, const char *she
+ 	if (getenv("TZ"))
+ 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ 
+-#ifdef __ANDROID__
+-{
+-#define COPY_ANDROID_ENV(name)	{			\
+-	char *s = getenv(name);				\
+-	if (s)	child_set_env(&env, &envsize, name, s); }
+-
+-	/* from /init.rc */
+-	COPY_ANDROID_ENV("ANDROID_BOOTLOGO");
+-	COPY_ANDROID_ENV("ANDROID_ROOT");
+-	COPY_ANDROID_ENV("ANDROID_ASSETS");
+-	COPY_ANDROID_ENV("ANDROID_DATA");
+-	COPY_ANDROID_ENV("ASEC_MOUNTPOINT");
+-	COPY_ANDROID_ENV("LOOP_MOUNTPOINT");
+-	COPY_ANDROID_ENV("BOOTCLASSPATH");
+-
+-	/* FIXME: keep android property workspace open
+-	 * (see openbsd-compat/bsd-closefrom.c)
+-	 */
+-	COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE");
+-
+-	COPY_ANDROID_ENV("EXTERNAL_STORAGE");		/* ??? */
+-	COPY_ANDROID_ENV("SECONDARY_STORAGE");		/* ??? */
+-	COPY_ANDROID_ENV("SD_EXT_DIRECTORY");		/* ??? */
+-
+-	/* may contain path to custom libraries */
+-	COPY_ANDROID_ENV("LD_LIBRARY_PATH");
+-#undef COPY_ANDROID_ENV
+-}
+-#endif
+-
+ 	/* Set custom environment options from RSA authentication. */
+ 	while (custom_environment) {
+ 		struct envstring *ce = custom_environment;
diff --git a/security/openssh-portable/files/patch-kex.c b/security/openssh-portable/files/patch-kex.c
deleted file mode 100644
index 339687643ebf..000000000000
--- a/security/openssh-portable/files/patch-kex.c
+++ /dev/null
@@ -1,33 +0,0 @@
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus@openbsd.org" <markus@openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
----
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git kex.c kex.c
-index 3f97f8c..6a94bc5 100644
---- kex.c
-+++ kex.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */
-+/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
- /*
-  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
-  *
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
- 	if (kex == NULL)
- 		return SSH_ERR_INVALID_ARGUMENT;
- 
-+	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- 	ptr = sshpkt_ptr(ssh, &dlen);
- 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- 		return r;
diff --git a/security/openssh-portable/files/patch-misc.c b/security/openssh-portable/files/patch-misc.c
new file mode 100644
index 000000000000..9ce31ea43fa6
--- /dev/null
+++ b/security/openssh-portable/files/patch-misc.c
@@ -0,0 +1,43 @@
+------------------------------------------------------------------------
+r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
+Changed paths:
+   M /head/crypto/openssh/readconf.c
+
+Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
+Submitted upstream, no reaction.
+
+Submitted by:   delphij@
+[rewritten for 7.4 by bdrewery@]
+
+--- misc.c.orig	2017-01-12 11:54:41.058558000 -0800
++++ misc.c	2017-01-12 11:55:16.531356000 -0800
+@@ -56,6 +56,8 @@
+ #include <net/if.h>
+ #endif
+ 
++#include <sys/sysctl.h>
++
+ #include "xmalloc.h"
+ #include "misc.h"
+ #include "log.h"
+@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a, 
+ int
+ bind_permitted(int port, uid_t uid)
+ {
+-	if (port < IPPORT_RESERVED && uid != 0)
++	int ipport_reserved;
++#ifdef __FreeBSD__
++	size_t len_ipport_reserved = sizeof(ipport_reserved);
++
++	if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
++	    &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
++		ipport_reserved = IPPORT_RESERVED;
++	else
++		ipport_reserved++;
++#else
++	ipport_reserved = IPPORT_RESERVED;
++#endif
++	if (port < ipport_reserved && uid != 0)
+ 		return 0;
+ 	return 1;
+ }
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
index 7fcb0a3dfd44..8d98c57c2f82 100644
--- a/security/openssh-portable/files/patch-readconf.c
+++ b/security/openssh-portable/files/patch-readconf.c
@@ -9,48 +9,8 @@ Changed paths:
 
 Apply FreeBSD's configuration defaults.
 
-------------------------------------------------------------------------
-r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
-Changed paths:
-   M /head/crypto/openssh/readconf.c
-
-Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
-Submitted upstream, no reaction.
-
-Submitted by:   delphij@
-
 --- readconf.c.orig	2014-07-17 23:11:26.000000000 -0500
 +++ readconf.c	2014-11-03 16:45:05.188796445 -0600
-@@ -17,6 +17,7 @@
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/socket.h>
-+#include <sys/sysctl.h>
- #include <sys/wait.h>
- #include <sys/un.h>
- 
-@@ -311,8 +312,19 @@ add_local_forward(Options *options, cons
- 	struct Forward *fwd;
- 	extern uid_t original_real_uid;
- 	int i;
--
--	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
-+	int ipport_reserved;
-+#ifdef __FreeBSD__
-+	size_t len_ipport_reserved = sizeof(ipport_reserved);
-+
-+	if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
-+	    &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
-+		ipport_reserved = IPPORT_RESERVED;
-+	else
-+		ipport_reserved++;
-+#else
-+	ipport_reserved = IPPORT_RESERVED;
-+#endif
-+	if (newfwd->listen_port < ipport_reserved && original_real_uid != 0 &&
- 	    newfwd->listen_path == NULL)
- 		fatal("Privileged ports can only be forwarded by root.");
- 	/* Don't add duplicates */
 @@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
  	if (options->batch_mode == -1)
  		options->batch_mode = 0;
diff --git a/security/openssh-portable/files/patch-serverloop.c b/security/openssh-portable/files/patch-serverloop.c
deleted file mode 100644
index 53c08eebf15f..000000000000
--- a/security/openssh-portable/files/patch-serverloop.c
+++ /dev/null
@@ -1,23 +0,0 @@
-Fix CVE-2016-10010
-
-
---- serverloop.c.orig	2016-07-27 17:54:27.000000000 -0500
-+++ serverloop.c	2017-01-11 18:44:42.881227000 -0600
-@@ -999,7 +999,7 @@
- 
- 	/* XXX fine grained permissions */
- 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
--	    !no_port_forwarding_flag) {
-+	    !no_port_forwarding_flag && use_privsep) {
- 		c = channel_connect_to_path(target,
- 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
- 	} else {
-@@ -1280,7 +1280,7 @@
- 
- 		/* check permissions */
- 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
--		    || no_port_forwarding_flag) {
-+		    || no_port_forwarding_flag || !use_privsep) {
- 			success = 0;
- 			packet_send_debug("Server has disabled port forwarding.");
- 		} else {
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index 0905c5fc72ba..cb99bbc1bfee 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -1,6 +1,18 @@
+------------------------------------------------------------------------
+r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines
+Changed paths:
+   M /head/crypto/openssh/session.c
+
+Make sure the environment variables set by setusercontext() are passed on
+to the child process.
+
+Reviewed by:    ache
+Sponsored by:   DARPA, NAI Labs
+
+
 --- session.c	2013-03-14 19:22:37 UTC
 +++ session.c
-@@ -1131,6 +1136,9 @@
+@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she
  	struct passwd *pw = s->pw;
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
  	char *path = NULL;
@@ -10,7 +22,7 @@
  #endif
  
  	/* Initialize the environment. */
-@@ -1152,6 +1160,9 @@
+@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she
  	}
  #endif
  
@@ -20,50 +32,49 @@
  #ifdef GSSAPI
  	/* Allow any GSSAPI methods that we've used to alter
  	 * the childs environment as they see fit
-@@ -1171,11 +1182,22 @@
- 		child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
+@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she
+ 	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
  #endif
- 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
-+		snprintf(buf, sizeof buf, "%.200s/%.50s",
-+			 _PATH_MAILDIR, pw->pw_name);
-+		child_set_env(&env, &envsize, "MAIL", buf);
+ 	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
++	snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
++	child_set_env(&env, &envsize, "MAIL", buf);
  #ifdef HAVE_LOGIN_CAP
--		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
--			child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
--		else
--			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
-+		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-+		child_set_env(&env, &envsize, "TERM", "su");
-+		senv = environ;
-+		environ = xmalloc(sizeof(char *));
-+		*environ = NULL;
-+		(void) setusercontext(lc, pw, pw->pw_uid,
-+		    LOGIN_SETENV|LOGIN_SETPATH);
-+		copy_environment(environ, &env, &envsize);
-+		for (var = environ; *var != NULL; ++var)
-+			free(*var);
-+		free(environ);
-+		environ = senv;
+-	if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+-		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+-	else
+-		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
++	child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
++	child_set_env(&env, &envsize, "TERM", "su");
++	senv = environ;
++	environ = xmalloc(sizeof(char *));
++	*environ = NULL;
++	(void) setusercontext(lc, pw, pw->pw_uid,
++	    LOGIN_SETENV|LOGIN_SETPATH);
++	copy_environment(environ, &env, &envsize);
++	for (var = environ; *var != NULL; ++var)
++		free(*var);
++	free(environ);
++	environ = senv;
  #else /* HAVE_LOGIN_CAP */
  # ifndef HAVE_CYGWIN
- 		/*
-@@ -1196,15 +1218,9 @@
+ 	/*
+@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
--		snprintf(buf, sizeof buf, "%.200s/%.50s",
--			 _PATH_MAILDIR, pw->pw_name);
--		child_set_env(&env, &envsize, "MAIL", buf);
+-	snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
+-	child_set_env(&env, &envsize, "MAIL", buf);
 -
- 		/* Normal systems set SHELL by default. */
- 		child_set_env(&env, &envsize, "SHELL", shell);
- 	}
+ 	/* Normal systems set SHELL by default. */
+ 	child_set_env(&env, &envsize, "SHELL", shell);
+ 
 -	if (getenv("TZ"))
 -		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- 
+-
  	/* Set custom environment options from RSA authentication. */
- 	if (!options.use_login) {
-@@ -1483,7 +1499,7 @@
+ 	while (custom_environment) {
+ 		struct envstring *ce = custom_environment;
+@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,
diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1
index 5edff7769268..3acde74be9fe 100644
--- a/security/openssh-portable/files/patch-ssh-agent.1
+++ b/security/openssh-portable/files/patch-ssh-agent.1
@@ -4,12 +4,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
-Add a -P option to specify PKCS11_WHITELIST
-
-
---- ssh-agent.1.orig	2016-07-27 17:54:27.000000000 -0500
-+++ ssh-agent.1	2017-01-11 19:05:12.513900000 -0600
-@@ -43,10 +43,11 @@
+--- ssh-agent.1.orig	2015-05-29 03:27:21.000000000 -0500
++++ ssh-agent.1	2015-06-02 09:45:37.025390000 -0500
+@@ -43,7 +43,7 @@
  .Sh SYNOPSIS
  .Nm ssh-agent
  .Op Fl c | s
@@ -18,30 +15,7 @@ Add a -P option to specify PKCS11_WHITELIST
  .Op Fl a Ar bind_address
  .Op Fl E Ar fingerprint_hash
  .Op Fl t Ar life
-+.Op Fl P Ar pkcs11_whitelist
- .Op Ar command Op Ar arg ...
- .Nm ssh-agent
- .Op Fl c | s
-@@ -121,6 +122,18 @@
- Kill the current agent (given by the
- .Ev SSH_AGENT_PID
- environment variable).
-+.It Fl P
-+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
-+that may be added using the
-+.Fl s
-+option to
-+.Xr ssh-add 1 .
-+The default is to allow loading PKCS#11 libraries from
-+.Dq /usr/lib/*,/usr/local/lib/* .
-+PKCS#11 libraries that do not match the whitelist will be refused.
-+See PATTERNS in
-+.Xr ssh_config 5
-+for a description of pattern-list syntax.
- .It Fl s
- Generate Bourne shell commands on
- .Dv stdout .
-@@ -135,6 +148,8 @@
+@@ -128,6 +128,8 @@
  .Xr ssh-add 1
  overrides this value.
  Without this option the default maximum lifetime is forever.
@@ -49,4 +23,4 @@ Add a -P option to specify PKCS11_WHITELIST
 +Exit after the last client has disconnected.
  .El
  .Pp
- If a command line is given, this is executed as a subprocess of the agent.
+ If a commandline is given, this is executed as a subprocess of the agent.
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 75243fa5c57e..97bc26aa335b 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -8,39 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
-Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
-
-
---- ssh-agent.c.orig	2016-07-27 17:54:27.000000000 -0500
-+++ ssh-agent.c	2017-01-11 19:02:59.600125000 -0600
-@@ -83,11 +83,16 @@
- #include "misc.h"
- #include "digest.h"
- #include "ssherr.h"
-+#include "match.h"
- 
- #ifdef ENABLE_PKCS11
- #include "ssh-pkcs11.h"
- #endif
- 
-+#ifndef DEFAULT_PKCS11_WHITELIST
-+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
-+#endif
-+
- typedef enum {
- 	AUTH_UNUSED,
- 	AUTH_SOCKET,
-@@ -135,6 +140,9 @@
- char socket_name[PATH_MAX];
- char socket_dir[PATH_MAX];
- 
-+/* PKCS#11 path whitelist */
-+static char *pkcs11_whitelist;
-+
- /* locking */
- #define LOCK_SIZE	32
- #define LOCK_SALT_SIZE	16
-@@ -150,15 +158,34 @@
+--- ssh-agent.c.orig	2015-05-29 03:27:21.000000000 -0500
++++ ssh-agent.c	2015-06-02 09:46:54.719580000 -0500
+@@ -157,15 +157,34 @@ static long lifetime = 0;
  
  static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
  
@@ -75,50 +45,7 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
  }
  
  static void
-@@ -738,7 +765,7 @@
- static void
- process_add_smartcard_key(SocketEntry *e)
- {
--	char *provider = NULL, *pin;
-+	char *provider = NULL, *pin, canonical_provider[PATH_MAX];
- 	int r, i, version, count = 0, success = 0, confirm = 0;
- 	u_int seconds;
- 	time_t death = 0;
-@@ -770,10 +797,21 @@
- 			goto send;
- 		}
- 	}
-+	if (realpath(provider, canonical_provider) == NULL) {
-+		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
-+		    provider, strerror(errno));
-+		goto send;
-+	}
-+	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
-+		verbose("refusing PKCS#11 add of \"%.100s\": "
-+		    "provider not whitelisted", canonical_provider);
-+		goto send;
-+	}
-+	debug("%s: add %.100s", __func__, canonical_provider);
- 	if (lifetime && !death)
- 		death = monotime() + lifetime;
- 
--	count = pkcs11_add_provider(provider, pin, &keys);
-+	count = pkcs11_add_provider(canonical_provider, pin, &keys);
- 	for (i = 0; i < count; i++) {
- 		k = keys[i];
- 		version = k->type == KEY_RSA1 ? 1 : 2;
-@@ -781,8 +819,8 @@
- 		if (lookup_identity(k, version) == NULL) {
- 			id = xcalloc(1, sizeof(Identity));
- 			id->key = k;
--			id->provider = xstrdup(provider);
--			id->comment = xstrdup(provider); /* XXX */
-+			id->provider = xstrdup(canonical_provider);
-+			id->comment = xstrdup(canonical_provider); /* XXX */
- 			id->death = death;
- 			id->confirm = confirm;
- 			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
-@@ -945,6 +983,10 @@
+@@ -963,6 +982,10 @@ new_socket(sock_type type, int fd)
  {
  	u_int i, old_alloc, new_alloc;
  
@@ -129,18 +56,16 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1172,8 +1214,8 @@
+@@ -1190,7 +1213,7 @@ static void
  usage(void)
  {
  	fprintf(stderr,
 -	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
--	    "                 [-t life] [command [arg ...]]\n"
 +	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
-+	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
+ 	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
  	    "       ssh-agent [-c | -s] -k\n");
  	exit(1);
- }
-@@ -1204,6 +1246,7 @@
+@@ -1222,6 +1245,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -148,28 +73,16 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
  
  	platform_disable_tracing(0);	/* strict=no */
  
-@@ -1214,7 +1257,7 @@
+@@ -1232,7 +1256,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
--	while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
+-	while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
 +	while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1229,6 +1272,11 @@
- 		case 'k':
- 			k_flag++;
- 			break;
-+		case 'P':
-+			if (pkcs11_whitelist != NULL)
-+				fatal("-P option already specified");
-+			pkcs11_whitelist = xstrdup(optarg);
-+			break;
- 		case 's':
- 			if (c_flag)
- 				usage();
-@@ -1253,6 +1301,9 @@
+@@ -1276,6 +1300,9 @@ main(int ac, char **av)
  				usage();
  			}
  			break;
@@ -179,22 +92,3 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
  		default:
  			usage();
  		}
-@@ -1263,6 +1314,9 @@
- 	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
- 		usage();
- 
-+	if (pkcs11_whitelist == NULL)
-+		pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
-+
- 	if (ac == 0 && !c_flag && !s_flag) {
- 		shell = getenv("SHELL");
- 		if (shell != NULL && (len = strlen(shell)) > 2 &&
-@@ -1410,7 +1464,7 @@
- 	signal(SIGTERM, cleanup_handler);
- 	nalloc = 0;
- 
--	if (pledge("stdio cpath unix id proc exec", NULL) == -1)
-+	if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
- 		fatal("%s: pledge: %s", __progname, strerror(errno));
- 	platform_pledge_agent();
- 
diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5
index ea28ceeb8e75..416c64f83fe9 100644
--- a/security/openssh-portable/files/patch-ssh_config.5
+++ b/security/openssh-portable/files/patch-ssh_config.5
@@ -6,12 +6,21 @@ rev 1.2 of readconf.c.
 
 --- ssh_config.5.orig	2010-08-04 21:03:13.000000000 -0600
 +++ ssh_config.5	2010-09-14 16:14:13.000000000 -0600
-@@ -164,7 +164,7 @@
- .Dq no ,
+@@ -377,8 +377,7 @@ or
+ .Cm no .
+ .It Cm CheckHostIP
+ If set to
+-.Cm yes
+-(the default),
++.Cm yes ,
+ .Xr ssh 1
+ will additionally check the host IP address in the
+ .Pa known_hosts
+@@ -390,6 +389,7 @@ in the process, regardless of the settin
+ .Cm StrictHostKeyChecking .
+ If the option is set to
+ .Cm no ,
++(the default),
  the check will not be executed.
- The default is
--.Dq yes .
-+.Dq no .
  .It Cm Cipher
  Specifies the cipher to use for encrypting the session
- in protocol version 1.
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 3948f4056b96..41e8a6283bd0 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,6 +1,6 @@
---- sshd_config.5.orig	2015-05-29 03:27:21.000000000 UTC
-+++ sshd_config.5	2015-06-02 09:49:08.463186000 -0500
-@@ -375,7 +375,9 @@ By default, no banner is displayed.
+--- sshd_config.5.orig	2016-12-18 20:59:41.000000000 -0800
++++ sshd_config.5	2017-01-11 13:35:46.496538000 -0800
+@@ -373,7 +373,9 @@ By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
  PAM or through authentication styles supported in
@@ -9,21 +9,32 @@
 +See also
 +.Cm UsePAM .
  The default is
- .Dq yes .
+ .Cm yes .
  .It Cm ChrootDirectory
-@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic
+@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa
+ The list of available key types may also be obtained using
+ .Qq ssh -Q key .
+ .It Cm HostbasedAuthentication
+-Specifies whether rhosts or /etc/hosts.equiv authentication together
++Specifies whether rhosts or
++.Pa /etc/hosts.equiv
++authentication together
+ with successful public key client host authentication is allowed
+ (host-based authentication).
+ The default is
+@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
-+.Dq no ,
++.Cm no ,
 +unless
 +.Nm sshd
 +was built without PAM support, in which case the default is
- .Dq yes .
+ .Cm yes .
 +Note that if
 +.Cm ChallengeResponseAuthentication
 +is
-+.Dq yes ,
++.Cm yes ,
 +and the PAM authentication policy for
 +.Nm sshd
 +includes
@@ -34,58 +45,47 @@
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
-@@ -1158,6 +1175,13 @@ or
- .Dq no .
+@@ -1216,6 +1235,13 @@ and
+ .Cm ethernet .
  The default is
- .Dq no .
+ .Cm no .
 +Note that if
 +.Cm ChallengeResponseAuthentication
 +is
-+.Dq yes ,
++.Cm yes ,
 +the root user may be allowed in with its password even if
 +.Cm PermitRootLogin is set to
-+.Dq without-password .
++.Cm without-password .
  .Pp
- If this option is set to
- .Dq without-password ,
-@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as 
- For more information on KRLs, see the KEY REVOCATION LISTS section in
- .Xr ssh-keygen 1 .
- .It Cm RhostsRSAAuthentication
--Specifies whether rhosts or /etc/hosts.equiv authentication together
-+Specifies whether rhosts or
-+.Pa /etc/hosts.equiv
-+authentication together
- with successful RSA host authentication is allowed.
- The default is
- .Dq no .
-@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run
+ Independent of this setting, the permissions of the selected
+ .Xr tun 4
+@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run
  .Xr sshd 8
  as a non-root user.
  The default is
--.Dq no .
-+.Dq yes .
+-.Cm no .
++.Cm yes .
  .It Cm UsePrivilegeSeparation
  Specifies whether
  .Xr sshd 8
-@@ -1520,7 +1546,10 @@ restrictions.
+@@ -1500,7 +1526,10 @@ The default is
  Optionally specifies additional text to append to the SSH protocol banner
  sent by the server upon connection.
  The default is
--.Dq none .
-+.Dq %%SSH_VERSION_FREEBSD_PORT%% .
+-.Cm none .
++.Cm %%SSH_VERSION_FREEBSD_PORT%% .
 +The value
-+.Dq none
++.Cm none
 +may be used to disable this.
  .It Cm X11DisplayOffset
  Specifies the first display number available for
  .Xr sshd 8 Ns 's
-@@ -1534,7 +1563,7 @@ The argument must be
+@@ -1514,7 +1543,7 @@ The argument must be
  or
- .Dq no .
+ .Cm no .
  The default is
--.Dq no .
-+.Dq yes .
+-.Cm no .
++.Cm yes .
  .Pp
  When X11 forwarding is enabled, there may be additional exposure to
  the server and to client displays if the
author	Bryan Drewery <bdrewery@FreeBSD.org>	2017-01-16 19:30:31 +0000
committer	Bryan Drewery <bdrewery@FreeBSD.org>	2017-01-16 19:30:31 +0000
commit	8da82fad61c6b94602430f04e987ffaf1ca90a5f (patch)
tree	10555beba9bd193e2b56e1f8e413b3abb7242681
parent	www/tinyproxy: MAINTAINER back to sunpoet@ (diff)