Secure shell client and server (remote login program).

PR:		ports/8204
Submitted by:	Issei Suzuki <issei@jp.FreeBSD.ORG>

6 files changed, 172 insertions, 318 deletions

diff --git a/security/ssh2/Makefile b/security/ssh2/Makefile
index 606fbdd463e9..b6f5caf2e643 100644
--- a/security/ssh2/Makefile
+++ b/security/ssh2/Makefile
@@ -1,157 +1,105 @@
-# New ports collection makefile for:	ssh
-# Version required:     1.2.25
-# Date created:		30 Jul 1995
-# Whom:			torstenb@FreeBSD.ORG
+# New ports collection makefile for:	ssh2
+# Version required:     2.0.9
+# Date created:		5 Oct 1998
+# Whom:			Issei Suzuki <issei@jp.FreeBSD.ORG>
 #
-# $Id: Makefile,v 1.71 1998/10/30 06:15:18 obrien Exp $
-#
-# Maximal ssh package requires YES values for
-# USE_PERL, USE_TCPWRAP
+# $Id$
 #
+# Maximal ssh2 package requires YES values for
+# USE_SSH1, USE_TCPWRAP
 
-DISTNAME=       ssh-1.2.26
+DISTNAME=       ssh-2.0.9
 CATEGORIES=	security net
-MASTER_SITES=   ftp://ftp.funet.fi/pub/unix/security/login/ssh/
-
-MAINTAINER=	torstenb@FreeBSD.ORG
-
-BROKEN=		update
+MASTER_SITES=   ftp://tp.cs.hut.fi/pub/ssh/ \
+		ftp://sunsite.unc.edu/pub/packages/security/ssh/ \
+		ftp://ftp.kyoto.wide.ad.jp/pub/security/ssh/
 
-# You can set USA_RESIDENT appropriately in /etc/make.conf if this bugs you..
+PATCH_SITES=	${MASTER_SITES}
+PATCHFILES=	${DISTNAME}-configure-patch
 
-.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
-MASTER_SITES=	\
-	ftp://ftp.funet.fi/pub/unix/security/login/ssh/ \
-	ftp://nic.funet.fi/pub/crypt/mirrors/ftp.dsi.unimi.it/applied-crypto/ \
-	ftp://rzsun2.informatik.uni-hamburg.de/pub/virus/crypt/ripem/ \
-	ftp://idea.sec.dsi.unimi.it/pub/security/crypt/math/ \
-	ftp://ftp.univie.ac.at/security/crypt/cryptography/asymmetric/rsa/ \
-	ftp://isdec.vc.cvut.cz/pub/security/unimi/crypt/applied-crypto/
-
-CONFIGURE_ARGS+= --with-rsaref
-LIB_DEPENDS+=	rsaref.2:${PORTSDIR}/security/rsaref
-BUILD_DEPENDS+= /nonexistent:${PORTSDIR}/security/rsaref:extract
-.endif
-
-#
-# Use Phil Karn's asm patches to speed up DES on intel.
-# Download by hand from http://www.cryptography.org/cgi-bin/crypto.cgi/ssh/  
-# and put in distfiles directory.
-#
-# Disabled for now, since there's not such a patchkit for 1.2.25 version.
-#.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES
-#PATCHFILES=ssh-1.2.22-patchkit
-#PATCH_DIST_STRIP=-p1
-#.endif
+MAINTAINER=	issei@jp.FreeBSD.org
 
 RESTRICTED=	"Crypto; export-controlled"
-IS_INTERACTIVE=	YES
 
 GNU_CONFIGURE=	YES
+MAKE_ENV=	SSH_SERVER_DIR="${PREFIX}/etc/ssh2" \
+		SSH_CLIENT_GLOBAL_CONFIG_FILE="${PREFIX}/etc/ssh2/ssh2_config"
 
-CONFIGURE_ARGS+= --with-etcdir=${PREFIX}/etc
-
+CONFIGURE_ARGS= --prefix=${PREFIX} --with-etcdir=${PREFIX}/etc
 #Uncomment if all your users are in their own group and their homedir
 #is writeable by that group.  Beware the security implications!
 #CONFIGURE_ARGS+= --enable-group-writeability
-
-#Uncomment if you want to allow ssh to emulate an unencrypted rsh connection
-#over a secure medium.  This is normally dangerous since it can lead to the
-#disclosure keys and passwords.
-#CONFIGURE_ARGS+= --with-none
-
-.if defined(KRB5_HOME) && exists(${KRB5_HOME})
-CONFIGURE_ARGS+=--with-kerberos5=${KRB5_HOME} --enable-kerberos-tgt-passing
+#
+# Include support for ssh1 client backward compatibility
+.if defined(USE_SSH1) && ${USE_SSH1} == YES
+BUILD_DEPENDS+=	ssh1:${PORTSDIR}/security/ssh
+RUN_DEPENDS+=	ssh1:${PORTSDIR}/security/ssh
 .endif
-
-# Include support for the SecureID card
 # Warning: untested !
+# Include support for the SecureID card
 .if defined(USE_SECUREID) && ${USE_SECUREID} == YES
 CONFIGURE_ARGS+= --with-secureid
 .endif
-
-# Don't use IDEA. IDEA can be freely used for non-commercial use. However,
-# commercial use may require a licence in a number of countries
-# Warning: untested !
-.if defined(DONT_USE_IDEA) && ${DONT_USE_IDEA} == YES
-CONFIGURE_ARGS+= --without-idea
+.if defined(USE_TIS) && ${USE_TIS} == YES
+# Include support for the TIS authentication server
+CONFIGURE_ARGS+= --with-tis
 .endif
-
-.if !exists(${X11BASE}/bin/xauth)
-CONFIGURE_ARGS+= --without-x
+# Include tcp_wrappers support
+.if defined(USE_TCPWRAP) && ${USE_TCPWRAP} == YES
+CONFIGURE_ARGS+= --with-libwrap
+LIB_DEPENDS+=   wrap.7:${PORTSDIR}/security/tcp_wrapper
 .endif
 
-MAN1=		scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \
-		make-ssh-known-hosts1.1
-MAN8=		sshd1.8
-
-
-pre-patch:
-	@${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \
-	    ${WRKSRC}/make-ssh-known-hosts.pl.in
-
-fetch-depends:
-.if !defined(USA_RESIDENT) || ${USA_RESIDENT} != YES && ${USA_RESIDENT} != NO
-	@echo
-	@echo You must set the variable USA_RESIDENT to YES if you are a
-	@echo United States resident, otherwise NO.
-	@echo If you are a US resident then this port must also fetch
-	@echo the RSAREF2 library from sources abroad \(RSA Inc. holds a
-	@echo patent on RSA and public key crypto in general in the United
-	@echo States so using RSA implementations other than RSAREF there
-	@echo may violate US patent law\).
-	@false
+MAN1=	ssh2.1 ssh-keygen2.1 ssh-add2.1 ssh-agent2.1 \
+	scp2.1 sftp2.1
+MAN8=	sshd2.8
+
+USE_SSH1?=	YES
+USE_TCPWRAP?=	NO
+USE_TIS?=	NO
+USE_SECUREID?=	NO
+PORTDOCS=	CHANGES LICENSING README
+.if !defined(USE_SSH1) || (defined(USE_SSH1) && ${USE_SSH1} != YES)
+PLIST=		${PKGDIR}/PLIST.ssh2_only
+.endif
+.if defined(NOMANCOMPRESS)
+MAN_SUFX=	""
+.else
+MAN_SUFX=	.gz
 .endif
 
 post-install:
-	@if [ ! -f ${PREFIX}/etc/ssh_host_key ]; then \
-		echo "Generating a secret host key..."; \
-		${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ""; \
-	fi
+.if defined(USE_SSH1) && ${USE_SSH1} == YES
+.for i in ssh ssh-keygen ssh-add ssh-agent scp
+	${MV} -f ${PREFIX}/man/man1/${i}.1${MAN_SUFX} ${PREFIX}/man/man1/${i}.old.1${MAN_SUFX}
+.endfor
+	${MV} -f ${PREFIX}/man/man8/sshd.8${MAN_SUFX} ${PREFIX}/man/man8/sshd.old.8${MAN_SUFX}
+.endif
+#
 .if !defined(NOMANCOMPRESS)
-	for file in make-ssh-known-hosts scp ssh-add ssh-agent \
-	    ssh-keygen ssh; do \
-		rm -f ${PREFIX}/man/man1/$${file}.1; \
-		ln -sf $${file}1.1.gz ${PREFIX}/man/man1/$${file}.1.gz; \
-	done
-	rm -f ${PREFIX}/man/man1/slogin.1
-	rm -f ${PREFIX}/man/man1/slogin1.1
-	rm -f ${PREFIX}/man/man8/sshd.8
-	ln -sf ssh.1.gz ${PREFIX}/man/man1/slogin.1.gz
-	ln -sf ssh1.1.gz ${PREFIX}/man/man1/slogin1.1.gz
-	ln -sf sshd1.8.gz ${PREFIX}/man/man8/sshd.8.gz
-.else
-	${ECHO} Warning---some manpages not installed.  See port Makefile
+.for i in ssh ssh-keygen ssh-add ssh-agent scp sftp
+	${RM} -f ${PREFIX}/man/man1/${i}.1
+	${LN} -sf ${i}2.1.gz ${PREFIX}/man/man1/${i}.1.gz
+.endfor
+	${RM} -f ${PREFIX}/man/man8/sshd.8
+	${LN} -sf sshd2.8.gz ${PREFIX}/man/man8/sshd.8.gz
+.endif
+#
+.if !defined(NOPORTDOCS)
+	-${MKDIR} ${PREFIX}/share/doc/ssh2
+.for i in ${PORTDOCS}
+	${INSTALL_DATA} ${WRKSRC}/$i ${PREFIX}/share/doc/ssh2
+.endfor
 .endif
+#
 	@if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
-		echo "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \
-		echo "#!/bin/sh" > ${PREFIX}/etc/rc.d/sshd.sh; \
-		echo "[ -x ${PREFIX}/sbin/sshd ] && ${PREFIX}/sbin/sshd && echo -n ' sshd'" >> ${PREFIX}/etc/rc.d/sshd.sh; \
+		${ECHO} "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \
+		${ECHO} "#!/bin/sh" > ${PREFIX}/etc/rc.d/sshd.sh; \
+		${ECHO} "[ -x ${PREFIX}/sbin/sshd ] && ${PREFIX}/sbin/sshd && ${ECHO} -n ' sshd'" >> ${PREFIX}/etc/rc.d/sshd.sh; \
 		chmod 751 ${PREFIX}/etc/rc.d/sshd.sh; \
 	fi
+	@if [ -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
+		chmod -x ${PREFIX}/etc/rc.d/sshd.sh; \
+	fi
 
 .include <bsd.port.mk>
-
-# Following stuff must be after <bsd.port.mk> to expand exists() properly
-
-.if defined(USE_PERL) && ${USE_PERL} == YES || \
-    exists(${PERL5}) && (!defined(USE_PERL) || ${USE_PERL} != NO)
-BUILD_DEPENDS+= perl${PERL_VERSION}:${PORTSDIR}/lang/perl5
-CONFIGURE_ENV+= PERL=${PERL5}
-.else
-CONFIGURE_ENV+= PERL=/replace_it_with_PERL_path
-.endif
-
-# Include tcp-wrapper support (call remote identd)
-.if defined(USE_TCPWRAP) && ${USE_TCPWRAP} == YES || \
-    exists(${PREFIX}/lib/libwrap.a) && \
-    (!defined(USE_TCPWRAP) || ${USE_TCPWRAP} != NO)
-CONFIGURE_ENV+= LDFLAGS=-L${PREFIX}/lib CFLAGS="${CFLAGS} -I${PREFIX}/include"
-CONFIGURE_ARGS+= --with-libwrap
-LIB_DEPENDS+=   wrap.7:${PORTSDIR}/security/tcp_wrapper
-.endif
-
-# Include SOCKS firewall support
-.if defined(USE_SOCKS) && ${USE_SOCKS} == YES
-CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5" --with-socks5
-.endif
diff --git a/security/ssh2/distinfo b/security/ssh2/distinfo
index d3b49042f45b..6cf128dcbb2e 100644
--- a/security/ssh2/distinfo
+++ b/security/ssh2/distinfo
@@ -1,3 +1,2 @@
-MD5 (ssh-1.2.26.tar.gz) = 2ee46d454015dd01c5e8f074eabf0245
-MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d
-MD5 (ssh-1.2.22-patchkit) = 5228897d59be91ad3ae88e992d61cd50
+MD5 (ssh-2.0.9.tar.gz) = 745a65d3a7516979b003fe15d78d93d4
+MD5 (ssh-2.0.9-configure-patch) = b8a422c201500ff816483825c1152788
diff --git a/security/ssh2/files/patch-aa b/security/ssh2/files/patch-aa
index 83e9968ac319..31fcb2311bb8 100644
--- a/security/ssh2/files/patch-aa
+++ b/security/ssh2/files/patch-aa
@@ -1,19 +1,10 @@
-*** make-ssh-known-hosts.pl.in.orig	Wed Apr 23 08:40:05 1997
---- make-ssh-known-hosts.pl.in	Fri Apr 25 12:38:21 1997
-***************
-*** 87,93 ****
-  $debug = 5;
-  $defserver = '';
-  $bell='\a';
-! $public_key = '/etc/ssh_host_key.pub';
-  $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
-  $timeout = 60;
-  $ping_timeout = 3;
---- 87,93 ----
-  $debug = 5;
-  $defserver = '';
-  $bell='\a';
-! $public_key = '@ETCDIR@/ssh_host_key.pub';
-  $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
-  $timeout = 60;
-  $ping_timeout = 3;
+--- apps/ssh/Makefile.in.old	Mon Oct  5 22:18:17 1998
++++ apps/ssh/Makefile.in	Mon Oct  5 22:25:16 1998
+@@ -167,6 +167,7 @@
+ # defines
+ 
+ SSH_DEFS = -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\"
++SSH_DEFS+= -DSSH_SERVER_DIR=\"$(SSH_SERVER_DIR)\" -DSSH_CLIENT_GLOBAL_CONFIG_FILE=\"$(SSH_CLIENT_GLOBAL_CONFIG_FILE)\"
+ 
+ COMPILE = $(CC) $(KERBEROS_INCS) $(INCLUDES) $(SSH_DEFS) $(DEFS) $(CPPFLAGS) $(CFLAGS) $(X_CFLAGS)
+ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
diff --git a/security/ssh2/files/patch-ab b/security/ssh2/files/patch-ab
index 0456b49d4478..f5d0d355ab77 100644
--- a/security/ssh2/files/patch-ab
+++ b/security/ssh2/files/patch-ab
@@ -1,62 +1,15 @@
-*** configure.orig	Wed Apr 23 08:40:06 1997
---- configure	Fri Apr 25 12:38:54 1997
-***************
-*** 1757,1768 ****
-  
-  export CFLAGS CC
-  
-- # Socket pairs appear to be broken on several systems.  I don't know exactly
-- # where, so I'll use pipes everywhere for now.
-- cat >> confdefs.h <<\EOF
-- #define USE_PIPES 1
-- EOF
-- 
-  
-  echo $ac_n "checking that the compiler works""... $ac_c" 1>&6
-  echo "configure:1769: checking that the compiler works" >&5
---- 1757,1762 ----
-***************
-*** 2759,2765 ****
-  
-  fi
-  
-! for ac_hdr in unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h
-  do
-  ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
-  echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
---- 2753,2759 ----
-  
-  fi
-  
-! for ac_hdr in unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h
-  do
-  ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
-  echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-***************
-*** 7031,7037 ****
-  
-  cat >> $CONFIG_STATUS <<EOF
-  
-! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile"}
-  EOF
-  cat >> $CONFIG_STATUS <<\EOF
-  for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
---- 7025,7031 ----
-  
-  cat >> $CONFIG_STATUS <<EOF
-  
-! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl"}
-  EOF
-  cat >> $CONFIG_STATUS <<\EOF
-  for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
-***************
-*** 7235,7240 ****
---- 7229,7236 ----
-    done
-  
-    for ac_config_dir in gmp-2.0.2-ssh-2; do
-+   
-+ continue # XXX don't configure gmp
-  
-      # Do not complain, so a configure script can configure whichever
-      # parts of a large source tree are present.
+When you compile *.s with 'cc -pipe' on ELFed FreeBSD, it never ends.
+This patch is ugly hack to avoid the problem.
+
+--- lib/sshmath/Makefile.in.old	Thu Oct  8 03:48:38 1998
++++ lib/sshmath/Makefile.in	Thu Oct  8 03:49:32 1998
+@@ -383,8 +383,7 @@
+ 
+ .S.o:
+ 	$(CPP) $(CPPFLAGS) $(INCLUDES) $(DEFS) $< | grep -v '^#' >tmp-$*.s
+-	$(CC) $(CFLAGS) $(SFLAGS) -c tmp-$*.s
+-	mv tmp-$*.o $@
++	$(AS) $(SFLAGS) -o $@ tmp-$*.s
+ 	rm -f tmp-$*.s
+ 
+ includes:
diff --git a/security/ssh2/pkg-descr b/security/ssh2/pkg-descr
index 307b86088bcf..de564216cd2e 100644
--- a/security/ssh2/pkg-descr
+++ b/security/ssh2/pkg-descr
@@ -1,99 +1,33 @@
-Secure Shell is a program to log into another computer over a network,
-to execute commands in a remote machine, and to move files from one
-machine to another.  It provides strong authentication and secure
-communications over insecure channels.  It is inteded as a replacement
-for rlogin, rsh, and rcp.
+SSH Protocols and Secure Shell
 
-FEATURES
+  Secure Shell is the secure login program that revolutionized remote
+management of networks hosts over the Internet.  It is a powerful,
+very easy-to-use program that uses strong cryptography for protecting
+all transmitted confidential data, including passwords, binary files,
+and administrative commands.
 
- o  Complete replacement for rlogin, rsh, and rcp.
+  SSH Communications Security is the developer of the Secure Shell and
+the SSH protocol, technologies that are the de-facto standard for
+encrypted terminal connections on the Internet. The benefits of SSH
+include 
 
- o  Strong authentication.  Closes several security holes (e.g., IP,
-    routing, and DNS spoofing).  New authentication methods: .rhosts
-    together with RSA based host authentication, and pure RSA
-    authentication.
+o Automatic authentication of users, no passwords sent in cleartext to
+  prevent the stealing of passwords.
 
- o  Improved privacy.  All communications are automatically and
-    transparently encrypted.  RSA is used for key exchange, and a
-    conventional cipher (normally IDEA, DES, or triple-DES) for
-    encrypting the session.  Encryption is started before
-    authentication, and no passwords or other information is
-    transmitted in the clear.  Encryption is also used to protect
-    against spoofed packets.
+o Multiple strong authentication methods that prevent such security
+  threats as spoofing identity.
 
- o  Secure X11 sessions.  The program automatically sets DISPLAY on
-    the server machine, and forwards any X11 connections over the
-    secure channel.  Fake Xauthority information is automatically
-    generated and forwarded to the remote machine; the local client
-    automatically examines incoming X11 connections and replaces the
-    fake authorization data with the real data (never telling the 
-    remote machine the real information).
+o Authentication of both ends of connection, the server and the client
+  are authenticated to prevent identity spoofing, trojan horses, etc. 
 
- o  Arbitrary TCP/IP ports can be redirected through the encrypted channel
-    in both directions (e.g., for e-cash transactions).
+o Automatic authentication using agents to enable strong
+  authentication to multiple systems with a single-sign-on.
 
- o  No retraining needed for normal users; everything happens
-    automatically, and old .rhosts files will work with strong
-    authentication if administration installs host key files.
+o Encryption and compression of data for security and speed.
 
- o  Never trusts the network.  Minimal trust on the remote side of
-    the connection.  Minimal trust on domain name servers.  Pure RSA
-    authentication never trusts anything but the private key.
+o Secure file transfer.
 
- o  Client RSA-authenticates the server machine in the beginning of
-    every connection to prevent trojan horses (by routing or DNS
-    spoofing) and man-in-the-middle attacks, and the server
-    RSA-authenticates the client machine before accepting .rhosts or
-    /etc/hosts.equiv authentication (to prevent DNS, routing, or
-    IP-spoofing).
+o Tunneling and encryption of arbitrary connections.
 
- o  Host authentication key distribution can be centrally by the
-    administration, automatically when the first connection is made
-    to a machine (the key obtained on the first connection will be
-    recorded and used for authentication in the future), or manually
-    by each user for his/her own use.  The central and per-user host
-    key repositories are both used and complement each other.  Host
-    keys can be generated centrally or automatically when the software
-    is installed.  Host authentication keys are typically 1024 bits.
-
- o  Any user can create any number of user authentication RSA keys for
-    his/her own use.  Each user has a file which lists the RSA public
-    keys for which proof of possession of the corresponding private
-    key is accepted as authentication.  User authentication keys are
-    typically 1024 bits.
-
- o  The server program has its own server RSA key which is
-    automatically regenerated every hour.  This key is never saved in
-    any file.  Exchanged session keys are encrypted using both the
-    server key and the server host key.  The purpose of the separate
-    server key is to make it impossible to decipher a captured session by
-    breaking into the server machine at a later time; one hour from
-    the connection even the server machine cannot decipher the session
-    key.  The key regeneration interval is configurable.  The server
-    key is normally 768 bits.
-
- o  An authentication agent, running in the user's laptop or local
-    workstation, can be used to hold the user's RSA authentication
-    keys.  Ssh automatically forwards the connection to the
-    authentication agent over any connections, and there is no need to
-    store the RSA authentication keys on any machine in the network
-    (except the user's own local machine).  The authentication
-    protocols never reveal the keys; they can only be used to verify
-    that the user's agent has a certain key.  Eventually the agent
-    could rely on a smart card to perform all authentication
-    computations.
-
- o  The software can be installed and used (with restricted
-    functionality) even without root privileges.
-
- o  The client is customizable in system-wide and per-user
-    configuration files.  Most aspects of the client's operation can
-    be configured.  Different options can be specified on a per-host basis.
-
- o  Automatically executes conventional rsh (after displaying a
-    warning) if the server machine is not running sshd.
-
- o  Optional compression of all data with gzip (including forwarded X11
-    and TCP/IP port data), which may result in significant speedups on
-    slow connections.
 
+See http://www.ssh.fi/ for more details.
diff --git a/security/ssh2/pkg-plist b/security/ssh2/pkg-plist
index c99dd209976f..8d6c7cff7eba 100644
--- a/security/ssh2/pkg-plist
+++ b/security/ssh2/pkg-plist
@@ -1,29 +1,58 @@
-etc/rc.d/sshd.sh
-bin/scp1
-bin/scp
-bin/ssh1
+bin/ssh2
+@exec mv %D/bin/ssh %D/bin/ssh.old
 bin/ssh
-bin/slogin
-bin/ssh-add1
-bin/ssh-add
-bin/ssh-agent1
+@unexec mv -f %B/%f.old %B/%f
+bin/scp2
+@exec mv %D/bin/scp %D/bin/scp.old
+bin/scp
+@unexec mv -f %B/%f.old %B/%f
+bin/sftp2
+bin/sftp
+bin/sftp-server2
+bin/sftp-server
+bin/ssh-agent2
+@exec mv %D/bin/ssh-agent %D/bin/ssh-agent.old
 bin/ssh-agent
-bin/ssh-askpass1
-bin/ssh-askpass
-bin/ssh-keygen1
+@unexec mv -f %B/%f.old %B/%f
+bin/ssh-keygen2
+@exec mv %D/bin/ssh-keygen %D/bin/ssh-keygen.old
 bin/ssh-keygen
-bin/make-ssh-known-hosts1
-bin/make-ssh-known-hosts
-etc/ssh_config
-etc/sshd_config
-man/man1/make-ssh-known-hosts.1.gz
-man/man1/scp.1.gz
+@unexec mv -f %B/%f.old %B/%f
+bin/ssh-add2
+@exec mv %D/bin/ssh-add %D/bin/ssh-add.old
+bin/ssh-add
+@unexec mv -f %B/%f.old %B/%f
+bin/ssh-askpass2
+@exec mv %D/bin/ssh-askpass %D/bin/ssh-askpass.old
+bin/ssh-askpass
+@unexec mv -f %B/%f.old %B/%f
+etc/ssh2/ssh2_config
+etc/ssh2/sshd2_config
+man/man1/sftp.1.gz
+@exec mv %D/man/man1/ssh.1.gz %D/man/man1/ssh.old.1.gz
+man/man1/ssh.1.gz
+@unexec mv -f %B/ssh.old.1.gz %B/%f
+@exec mv %D/man/man1/ssh-add.1.gz %D/man/man1/ssh-add.old.1.gz
 man/man1/ssh-add.1.gz
+@unexec mv -f %B/ssh-add.old.1.gz %B/%f
+@exec mv %D/man/man1/ssh-agent.1.gz %D/man/man1/ssh-agent.old.1.gz
 man/man1/ssh-agent.1.gz
+@unexec mv -f %B/ssh-agent.old.1.gz %B/%f
+@exec mv %D/man/man1/ssh-keygen.1.gz %D/man/man1/ssh-keygen.old.1.gz
 man/man1/ssh-keygen.1.gz
-man/man1/ssh.1.gz
-man/man1/slogin.1.gz
+@unexec mv -f %B/ssh-keygen.old.1.gz %B/%f
+@exec mv %D/man/man1/scp.1.gz %D/man/man1/scp.old.1.gz
+man/man1/scp.1.gz
+@unexec mv -f %B/scp.old.1.gz %B/%f
+@exec mv %D/man/man8/sshd.8.gz %D/man/man8/sshd.old.8.gz
 man/man8/sshd.8.gz
-sbin/sshd1
+@unexec mv -f %B/sshd.old.8.gz %B/%f
+sbin/sshd2
+@exec mv %D/sbin/sshd %D/sbin/sshd.old
 sbin/sshd
-@exec if [ ! -f %D/etc/ssh_host_key ]; then echo "Generating a secret host key.." ; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi
+@unexec mv -f %B/%f.old %B/%f
+share/doc/ssh2/CHANGES
+share/doc/ssh2/LICENSING
+share/doc/ssh2/README
+@dirrm share/doc/ssh2
+@exec if [ ! -f %D/etc/ssh2/hostkey ]; then umask 022; echo "Generating 1024 bit host key."; %D/bin/ssh-keygen2 -P -b 1024 -t dsa -c "1024-bit dsa hostkey" -o %D/etc/ssh2/hostkey;  fi