5 files changed, 146 insertions, 0 deletions

diff --git a/security/opkssh/files/patch-commands_readhome.go b/security/opkssh/files/patch-commands_readhome.go
new file mode 100644
index 000000000000..402b3d09f72e
--- /dev/null
+++ b/security/opkssh/files/patch-commands_readhome.go
@@ -0,0 +1,11 @@
+--- commands/readhome.go.orig	2025-11-15 19:19:27 UTC
++++ commands/readhome.go
+@@ -14,7 +14,7 @@
+ //
+ // SPDX-License-Identifier: Apache-2.0
+ 
+-//go:build linux || darwin
++//go:build linux || darwin || freebsd
+ 
+ package commands
+ 
diff --git a/security/opkssh/files/patch-main.go b/security/opkssh/files/patch-main.go
new file mode 100644
index 000000000000..9f8d47b12023
--- /dev/null
+++ b/security/opkssh/files/patch-main.go
@@ -0,0 +1,91 @@
+--- main.go.orig	2025-09-11 18:38:37 UTC
++++ main.go
+@@ -80,7 +80,7 @@ This program allows users to:
+ 		Short:        "Appends new rule to the policy file",
+ 		Long: `Add appends a new policy entry in the auth_id policy file granting SSH access to the specified email or subscriber ID (sub) or group.
+ 
+-It first attempts to write to the system-wide file (/etc/opk/auth_id). If it lacks permissions to update this file it falls back to writing to the user-specific file (~/.opk/auth_id).
++It first attempts to write to the system-wide file (%%PREFIX%%/etc/opk/auth_id). If it lacks permissions to update this file it falls back to writing to the user-specific file (~/.opk/auth_id).
+ 
+ Arguments:
+   PRINCIPAL            The target user account (requested principal).
+@@ -217,7 +217,7 @@ You should not call this command directly. It is calle
+ 		SilenceUsage: true,
+ 		Use:          "verify <PRINCIPAL> <CERT> <KEY_TYPE>",
+ 		Short:        "Verify an SSH key (used by sshd AuthorizedKeysCommand)",
+-		Long: `Verify extracts a PK token from a base64-encoded SSH certificate and verifies it against policy. It expects an allowed provider file at /etc/opk/providers and a user policy file at either /etc/opk/auth_id or ~/.opk/auth_id.
++		Long: `Verify extracts a PK token from a base64-encoded SSH certificate and verifies it against policy. It expects an allowed provider file at %%PREFIX%%/etc/opk/providers and a user policy file at either %%PREFIX%%/etc/opk/auth_id or ~/.opk/auth_id.
+ 
+ This command is intended to be called by sshd as an AuthorizedKeysCommand:
+   https://man.openbsd.org/sshd_config#AuthorizedKeysCommand
+@@ -233,8 +233,8 @@ Verification checks performed:
+ 
+ Verification checks performed:
+   1. Ensures the PK token is properly formed, signed, and issued by the specified OpenID Provider (OP).
+-  2. Confirms the PK token's issue (iss) and client ID (audience) are listed in the allowed provider file (/etc/opk/providers) and the token is not expired.
+-  3. Validates the identity (email or sub) in the PK token against user policies (/etc/opk/auth_id or ~/.opk/auth_id) to ensure it can assume the requested username (principal).
++  2. Confirms the PK token's issue (iss) and client ID (audience) are listed in the allowed provider file (%%PREFIX%%/etc/opk/providers) and the token is not expired.
++  3. Validates the identity (email or sub) in the PK token against user policies (%%PREFIX%%/etc/opk/auth_id or ~/.opk/auth_id) to ensure it can assume the requested username (principal).
+ 
+ If all checks pass, Verify authorizes the SSH connection.
+ 
+@@ -269,10 +269,10 @@ Arguments:
+ 			certB64Arg := args[1]
+ 			typArg := args[2]
+ 
+-			providerPolicyPath := "/etc/opk/providers"
++			providerPolicyPath := "%%PREFIX%%/etc/opk/providers"
+ 			providerPolicy, err := policy.NewProviderFileLoader().LoadProviderPolicy(providerPolicyPath)
+ 			if err != nil {
+-				log.Println("Failed to open /etc/opk/providers:", err)
++				log.Println("Failed to open %%PREFIX%%/etc/opk/providers:", err)
+ 				return err
+ 			}
+ 
+@@ -301,7 +301,7 @@ Arguments:
+ 			}
+ 		},
+ 	}
+-	verifyCmd.Flags().StringVar(&serverConfigPathArg, "config-path", "/etc/opk/config.yml", "Path to the server config file. Default: /etc/opk/config.yml.")
++	verifyCmd.Flags().StringVar(&serverConfigPathArg, "config-path", "%%PREFIX%%/etc/opk/config.yml", "Path to the server config file. Default: %%PREFIX%%/etc/opk/config.yml.")
+ 	rootCmd.AddCommand(verifyCmd)
+ 
+ 	clientCmd := &cobra.Command{
+@@ -504,30 +504,30 @@ func detectOS() OSType {
+ // detectOS determines the type of operating system.
+ func detectOS() OSType {
+ 	// Check for RedHat-based systems
+-	if _, err := os.Stat("/etc/redhat-release"); err == nil {
++	if _, err := os.Stat("%%PREFIX%%/etc/redhat-release"); err == nil {
+ 		return OSTypeRHEL
+ 	}
+ 
+ 	// Check for Debian-based systems
+-	if _, err := os.Stat("/etc/debian_version"); err == nil {
++	if _, err := os.Stat("%%PREFIX%%/etc/debian_version"); err == nil {
+ 		return OSTypeDebian
+ 	}
+ 
+ 	// Check for Arch Linux
+-	if _, err := os.Stat("/etc/arch-release"); err == nil {
++	if _, err := os.Stat("%%PREFIX%%/etc/arch-release"); err == nil {
+ 		return OSTypeArch
+ 	}
+ 
+ 	// Check for SUSE Linux
+-	if _, err := os.Stat("/etc/SuSE-release"); err == nil {
++	if _, err := os.Stat("%%PREFIX%%/etc/SuSE-release"); err == nil {
+ 		return OSTypeSUSE
+ 	}
+-	if _, err := os.Stat("/etc/SUSE-brand"); err == nil {
++	if _, err := os.Stat("%%PREFIX%%/etc/SUSE-brand"); err == nil {
+ 		return OSTypeSUSE
+ 	}
+ 
+-	// Check for /etc/os-release which exists on most modern Linux systems
+-	if content, err := os.ReadFile("/etc/os-release"); err == nil {
++	// Check for %%PREFIX%%/etc/os-release which exists on most modern Linux systems
++	if content, err := os.ReadFile("%%PREFIX%%/etc/os-release"); err == nil {
+ 		contentStr := string(content)
+ 		if strings.Contains(contentStr, "ID=rhel") ||
+ 			strings.Contains(contentStr, "ID=centos") ||
diff --git a/security/opkssh/files/patch-policy_enforcer.go b/security/opkssh/files/patch-policy_enforcer.go
new file mode 100644
index 000000000000..0330f82a4251
--- /dev/null
+++ b/security/opkssh/files/patch-policy_enforcer.go
@@ -0,0 +1,11 @@
+--- policy/enforcer.go.orig	2025-11-15 20:20:44 UTC
++++ policy/enforcer.go
+@@ -54,7 +54,7 @@ type checkedClaims struct {
+ }
+ 
+ // The default location for policy plugins
+-const pluginPolicyDir = "/etc/opk/policy.d"
++const pluginPolicyDir = "%%PREFIX%%/etc/opk/policy.d"
+ 
+ // Validates that the server defined identity attribute matches the
+ // respective claim from the identity token
diff --git a/security/opkssh/files/patch-policy_policyloader.go b/security/opkssh/files/patch-policy_policyloader.go
new file mode 100644
index 000000000000..e32d18134c99
--- /dev/null
+++ b/security/opkssh/files/patch-policy_policyloader.go
@@ -0,0 +1,11 @@
+--- policy/policyloader.go.orig	2025-11-15 20:20:44 UTC
++++ policy/policyloader.go
+@@ -29,7 +29,7 @@ import (
+ 
+ // SystemDefaultPolicyPath is the default filepath where opkssh policy is
+ // defined
+-var SystemDefaultPolicyPath = filepath.FromSlash("/etc/opk/auth_id")
++var SystemDefaultPolicyPath = filepath.FromSlash("%%PREFIX%%/etc/opk/auth_id")
+ 
+ // UserLookup defines the minimal interface to lookup users on the current
+ // system
diff --git a/security/opkssh/files/pkg-message.in b/security/opkssh/files/pkg-message.in
new file mode 100644
index 000000000000..49cc063a10ae
--- /dev/null
+++ b/security/opkssh/files/pkg-message.in
@@ -0,0 +1,22 @@
+[
+{ type: install
+  message: <<EOM
+Configure your sshd_config(5) with the following to use opkssh for authorization:
+
+  AuthorizedKeysCommand %%PREFIX%%/bin/opkssh verify %u %k %t
+  AuthorizedKeysCommandUser %%USER%%
+
+opkssh uses the '%%PREFIX%%/etc/opk' directory, where providers and identities are stored.
+Neither the directory nor the files are created automatically, so you must create them
+yourself. After creating the 'auth_id' and 'providers' files, they must have the
+following permissions:
+
+  chown root:%%GROUP%% %%PREFIX%%/etc/opk/auth_id
+  chmod 640 %%PREFIX%%/etc/opk/auth_id
+  chown root:%%GROUP%% %%PREFIX%%/etc/opk/providers
+  chmod 640 %%PREFIX%%/etc/opk/providers
+
+Users attempting to use opkssh from jails, please add "allow.mlock" or it will not run.
+EOM
+}
+]