- Update to 4.3p1

- Use DISTVERSION
- Add most configuration in OPTIONS
- Enable support to libedit in sftp [1]
- Add OPTIONS to HPN patches [2]
- Add new rc.d script [3]
- New rc.d script are responsible to check configuration and create host keys
- Using USE_RC_SUBR
- Modify pkg-message to reflect new rc.d script
- Fix pkg-plist

Reviewd by:	dougb [3]
Submitted by:	vs [1], brooks [2]
Tested by:	me, John E Hein

security/openssh-portable/Makefile

@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	openssh
-PORTVERSION=	4.2.0.0
+DISTVERSION=	4.3p1
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \
@@ -19,19 +19,17 @@ DISTNAME=	# empty
 MAINTAINER=	mnag@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 
-OPENSSHVERSION=	4.2p1
-
 .if defined(OPENSSH_SNAPSHOT)
 PORTREVISION!=		date -v-1d +%Y%m%d
 NO_CHECKSUM=		yes
 MASTER_SITE_SUBDIR+=	snapshot
 DISTNAME+=		${PORTNAME}-SNAP-${PORTREVISION}
-WRKSRC=			${WRKDIR}/${PORTNAME}
 .else
-DISTNAME+=		${PORTNAME}-${OPENSSHVERSION}
-WRKSRC=			${WRKDIR}/${PORTNAME}-${OPENSSHVERSION}
+DISTNAME+=		${PORTNAME}-${DISTVERSION}
 .endif
 
+WRKSRC=			${WRKDIR}/${PORTNAME}-${DISTVERSION}
+
 MAN1=	sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1
 MLINKS=	ssh.1 slogin.1
 MAN5=	ssh_config.5 sshd_config.5
@@ -54,24 +52,48 @@ PORTABLE_SUFFIX=	-portable
 SUDO?=		# empty
 MAKE_ENV+=	SUDO="${SUDO}"
 
-OPTIONS=	SUID_SSH	"Enable suid SSH (Recommended off)"	off \
+OPTIONS=	PAM		"Enable pam(3) support"			on \
+		TCP_WRAPPERS	"Enable tcp_wrappers support"		on \
+		LIBEDIT		"Enable readline support to sftp(1)"	on \
+		KERBEROS	"Enable kerberos (autodetection)"	on \
+		SUID_SSH	"Enable suid SSH (Recommended off)"	off \
 		GSSAPI		"Enable GSSAPI support"			off \
-		OPENSSH_CHROOT	"Enable CHROOT support"			off
+		OPENSSH_CHROOT	"Enable CHROOT support"			off \
+		HPN		"Enable HPN-11 SSH/SCP patch"		off \
+		HPN_NONECIPHER	"Enable HPN-11 with None Cipher patch"	off \
+		OVERWRITE_BASE	"OpenSSH overwrite base"		off
 
 .include <bsd.port.pre.mk>
 
-.if exists(/usr/include/security/pam_modules.h)
+# Preserve deprecated OPENSSH_OVERWRITE_BASE settings
+.if defined(OPENSSH_OVERWRITE_BASE)
+WITH_OVERWRITE_BASE=	yes
+.endif
+
+.if !defined(WITHOUT_PAM) && exists(/usr/include/security/pam_modules.h)
 CONFIGURE_ARGS+=	--with-pam
 .endif
 
-.if exists(/usr/include/tcpd.h)
+.if !defined(WITHOUT_TCP_WRAPPERS) && exists(/usr/include/tcpd.h)
 CONFIGURE_ARGS+=	--with-tcp-wrappers
 .endif
 
+.if !defined(WITHOUT_LIBEDIT)
+.if ${OSVERSION} > 500000
+CONFIGURE_ARGS+=	--with-libedit
+.else
+.if !defined(WITH_OVERWRITE_BASE)
+LIB_DEPENDS+=		edit.6:${PORTSDIR}/devel/libedit
+CONFIGURE_ARGS+=	--with-libedit=${LOCALBASE}
+.endif
+.endif
+.endif
+
 .if !defined(WITH_SUID_SSH)
 CONFIGURE_ARGS+=	--disable-suid-ssh
 .endif
 
+.if !defined(WITHOUT_KERBEROS)
 .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
 PORTABLE_SUFFIX=	# empty
 GSSAPI_SUFFIX=		-gssapi
@@ -84,34 +106,51 @@ LDFLAGS=		# empty
 .else
 CONFLICTS+=		openssh-gssapi-*-[0-9]*
 CONFIGURE_ARGS+=	--with-rpath=${OPENSSLRPATH}
-.if !defined(WITHOUT_KERBEROS) && exists(/usr/include/krb5.h)
+.if exists(/usr/include/krb5.h)
 CONFIGURE_ARGS+=	--with-kerberos5
 EXTRA_PATCHES+=		${FILESDIR}/gss-serv.c.patch
 .endif
 .endif
+.endif
 
 .if ${OPENSSLBASE} != "/usr"
 CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 .endif
 
-.if defined(BATCH)
-EXTRA_PATCHES+=		${FILESDIR}/batch.patch
-.endif
-
 .if defined(WITH_OPENSSH_CHROOT)
 CFLAGS+=		-DCHROOT
 .endif
 
-.if defined(OPENSSH_OVERWRITE_BASE)
+.if defined(WITH_HPN)
+.if defined(WITH_HPN_NONECIPHER)
+IGNORE=			please, select only one HPN patch. Rerun 'make config'
+.endif
+PATCH_DIST_STRIP=	-p1
+PATCH_SITES+=		http://www.psc.edu/networking/projects/hpn-ssh/
+PATCHFILES+=		openssh-${DISTVERSION}-hpn11.diff
+.endif
+
+.if defined(WITH_HPN_NONECIPHER)
+.if defined(WITH_HPN)
+IGNORE=			please, select only one HPN patch. Rerun 'make config'
+.endif
+PATCH_DIST_STRIP=	-p1
+PATCH_SITES+=		http://www.psc.edu/networking/projects/hpn-ssh/
+PATCHFILES+=		openssh-${DISTVERSION}-hpn11-none.diff
+.endif
+
+.if defined(WITH_OVERWRITE_BASE)
 WITH_OPENSSL_BASE=	yes
 BASE_SUFFIX=		-overwrite-base
 CONFIGURE_ARGS+=	--mandir=${PREFIX}/share/man --localstatedir=/var
 EMPTYDIR=		/var/empty
 PREFIX=			/usr
 ETCSSH=			/etc/ssh
+USE_RC_SUBR=		yes
+SUB_FILES+=		openssh
+SUB_LIST+=		ETCSSH="${ETCSSH}"
 PLIST_SUB+=		NOTBASE="@comment "
 PLIST_SUB+=		BASE=""
-PKGMESSAGE=		pkg-message.empty
 .else
 .if exists(/var/empty)
 EMPTYDIR=		/var/empty
@@ -119,6 +158,8 @@ EMPTYDIR=		/var/empty
 EMPTYDIR=		${PREFIX}/empty
 .endif
 ETCSSH=			${PREFIX}/etc/ssh
+USE_RC_SUBR=		openssh
+SUB_LIST+=		ETCSSH="${ETCSSH}"
 PLIST_SUB+=		NOTBASE=""
 PLIST_SUB+=		BASE="@comment "
 .endif
@@ -127,15 +168,17 @@ PLIST_SUB+=		BASE="@comment "
 PLIST_SUB+=		EMPTYDIR="${EMPTYDIR}"
 CONFIGURE_ARGS+=	--sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
 
+post-extract:
+.if defined(OPENSSH_SNAPSHOT)
+	@# rc.d script have same name of openssh snapshot dir
+	@${MV} ${WRKDIR}/${PORTNAME} ${WRKDIR}/${PORTNAME}-${DISTVERSION}
+.endif
+
 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
 
-post-configure:
-	${SED} -e 's:__PREFIX__:${PREFIX}:g' \
-		${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh
-
 pre-install:
-.if defined(OPENSSH_OVERWRITE_BASE)
+.if defined(WITH_OVERWRITE_BASE)
 	@${MKDIR} ${EMPTYDIR}
 .else
 	@${MKDIR} ${PREFIX}/empty
@@ -154,14 +197,23 @@ pre-install:
 .endfor
 
 post-install:
-.if !defined(OPENSSH_OVERWRITE_BASE)
-	${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample
-.endif
+.if !defined(WITH_OVERWRITE_BASE)
 	${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist
 	${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist
-.if !defined(OPENSSH_OVERWRITE_BASE)
-	@${CAT} ${PKGMESSAGE}
 .endif
+.if defined(WITH_OVERWRITE_BASE)
+	@${ECHO_CMD} "===> Installing rc.d startup script(s)"
+	@${ECHO_CMD} "@cwd ${LOCALBASE}" >> ${TMPPLIST}
+.if ${OSVERSION} >= 700007
+	@${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh
+	@${ECHO_CMD} "etc/rc.d/openssh" >> ${TMPPLIST}
+.else
+	@${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh.sh
+	@${ECHO_CMD} "etc/rc.d/openssh.sh" >> ${TMPPLIST}
+.endif
+	@${ECHO_CMD} "@cwd ${PREFIX}" >> ${TMPPLIST}
+.endif
+	@${CAT} ${PKGMESSAGE}
 
 test:	build
 	(cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} TEST_SHELL=/bin/sh \

security/openssh-portable/distinfo

@@ -1,3 +1,9 @@
-MD5 (openssh-4.2p1.tar.gz) = df899194a340c933944b193477c628fa
-SHA256 (openssh-4.2p1.tar.gz) = 2a61e84b36958c0af19e4f6f9f3e27f8ed432a5188d654e26602402fd4047f6d
-SIZE (openssh-4.2p1.tar.gz) = 914165
+MD5 (openssh-4.3p1.tar.gz) = eaeb880b1b6c63b9a4d7c5b1e74727c4
+SHA256 (openssh-4.3p1.tar.gz) = 7a4e356742190901e458b7526f91dfa24c66babbcd24d55cf7eac282266f5254
+SIZE (openssh-4.3p1.tar.gz) = 940777
+MD5 (openssh-4.3p1-hpn11.diff) = 7dd2a6716b81da33af4ca960185fdd1b
+SHA256 (openssh-4.3p1-hpn11.diff) = 0a0b0e07bd845fdbf2112769c426a3b47b795076c8459f6dbc3e7c9060abb740
+SIZE (openssh-4.3p1-hpn11.diff) = 11024
+MD5 (openssh-4.3p1-hpn11-none.diff) = bf4f192a36bbee39ea23423ab06b0fb6
+SHA256 (openssh-4.3p1-hpn11-none.diff) = ed9abd22a463e4aedaaac4fc04747741bbf8cddf32fa07e9d91433221cdf9dc3
+SIZE (openssh-4.3p1-hpn11-none.diff) = 16617

security/openssh-portable/files/gss-serv.c.patch

@@ -1,18 +1,19 @@
---- gss-serv.c.DIST	Tue Sep  2 14:56:42 2003
-+++ gss-serv.c	Mon Oct  6 17:56:23 2003
-@@ -138,6 +138,15 @@
+--- gss-serv.c.orig	Sat Nov  5 02:07:05 2005
++++ gss-serv.c	Thu Feb  2 22:45:37 2006
+@@ -134,6 +134,16 @@
  	OM_uint32 offset;
  	OM_uint32 oidl;
  
 +#if defined(HEIMDAL)
 +	if (strcmp(heimdal_version, "Heimdal 0.6") < 0) {
-+	    name->length = ename->length;
-+	    name->value = xmalloc(name->length+1);
-+	    memcpy(name->value,ename->value,name->length);
-+	    ((char *)name->value)[name->length] = 0;
-+	    return GSS_S_COMPLETE;
++		name->length = ename->length;
++		name->value = xmalloc(name->length+1);
++		memcpy(name->value,ename->value,name->length);
++		((char *)name->value)[name->length] = 0;
++		return GSS_S_COMPLETE;
 +	}
 +#endif
- 	tok=ename->value;
++
+ 	tok = ename->value;
  
  	/*

security/openssh-portable/files/openssh.in

@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: openssh
+# REQUIRE: DAEMON
+#
+# Add the following lines to /etc/rc.conf to enable openssh:
+#
+# openssh_enable (bool):	Set it to "YES" to enable openssh.
+#				Default is "NO".
+# openssh_flags (flags):	Set extra flags to openssh.
+#				Default is "". see sshd(1).
+# openssh_pidfile (path):	Set full path to pid file.
+#				Default is "/var/run/sshd.pid".
+#
+
+. %%RC_SUBR%%
+
+name="openssh"
+rcvar=${name}_enable
+
+command=%%PREFIX%%/sbin/sshd
+extra_commands="reload"
+
+pidfile=${openssh_pidfile}
+
+start_precmd="${name}_checks"
+restart_precmd="${name}_checks"
+
+openssh_checks()
+{
+	if checkyesno sshd_enable ; then
+		err 1 "sshd_enable is set. Please set sshd_enable to NO in your rc.conf"
+	fi
+
+	if [ ! -f %%ETCSSH%%/ssh_host_key -o \
+		! -f %%ETCSSH%%/ssh_host_dsa_key -o \
+		! -f %%ETCSSH%%/ssh_host_rsa_key ]; then
+
+		umask 022
+
+		# Can't do anything if ssh is not installed
+		[ -x %%PREFIX%%/bin/ssh-keygen ] || {
+			err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
+		}
+
+		if [ -f %%ETCSSH%%/ssh_host_key ]; then
+			echo "You already have an RSA host key" \
+				"in %%ETCSSH%%/ssh_host_key"
+			echo "Skipping protocol version 1 RSA Key Generation"
+		else
+			%%PREFIX%%/bin/ssh-keygen -t rsa1 -b 1024 \
+				-f %%ETCSSH%%/ssh_host_key -N ''
+		fi
+
+		if [ -f %%ETCSSH%%/ssh_host_dsa_key ]; then
+			echo "You already have a DSA host key" \
+				"in %%ETCSSH%%/ssh_host_dsa_key"
+			echo "Skipping protocol version 2 DSA Key Generation"
+		else
+			%%PREFIX%%/bin/ssh-keygen -t dsa \
+				-f %%ETCSSH%%/ssh_host_dsa_key -N ''
+		fi
+
+		if [ -f %%ETCSSH%%/ssh_host_rsa_key ]; then
+			echo "You already have a RSA host key" \
+				"in %%ETCSSH%%/ssh_host_rsa_key"
+			echo "Skipping protocol version 2 RSA Key Generation"
+		else
+			%%PREFIX%%/bin/ssh-keygen -t rsa \
+				-f %%ETCSSH%%/ssh_host_rsa_key -N ''
+		fi
+
+	fi
+
+	eval "${command} -t"
+}
+
+load_rc_config $name
+
+: ${openssh_enable="NO"}
+: ${openssh_pidfile="/var/run/sshd.pid"}
+
+run_rc_command "$1"

security/openssh-portable/files/patch-Makefile.in

@@ -5,7 +5,7 @@
  	(cd scard && $(MAKE) -f Makefile.in distprep)
  
 -install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf check-config
++install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf
  install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf
  install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
  

security/openssh-portable/files/sshd.sh

@@ -1,24 +0,0 @@
-#!/bin/sh
-case "$1" in
-start)
-	__PREFIX__/sbin/sshd
-	echo -n ' sshd'
-	;;
-stop)
-	if [ -f /var/run/sshd.pid ]; then
-		kill -TERM `cat /var/run/sshd.pid`
-		rm -f /var/run/sshd.pid
-		echo -n ' sshd'
-	fi
-	;;
-restart)
-	if [ -f /var/run/sshd.pid ]; then
-		kill -HUP `cat /var/run/sshd.pid`
-		echo 'sshd restarted'
-	fi
-	;;
-*)
-	echo "Usage: ${0##*/}: { start | stop | restart }" >&2
-	exit 64
-	;;
-esac

security/openssh-portable/pkg-message

@@ -1,12 +1,8 @@
-To enable this port, please add sshd_program=/usr/local/sbin/sshd and make
-sure sshd_enable is set to YES in your /etc/rc.conf
+To enable this port, add openssh_enable="YES" in your rc.conf. To
+prevent conflict with openssh in the base system add sshd_enable="NO"
+in your rc.conf.
 
-You may also want to put NO_OPENSSH=    true in your /etc/make.conf
-and make sure your path is setup to /usr/local/bin before /usr/bin so that
-you are running the port version of openssh and not the version that comes
-with FreeBSD
-
-'PermitRootLogin no' is the new default for the OpenSSH port.
+'PermitRootLogin no' is the default for the OpenSSH port.
 This now matches the PermitRootLogin configuration of OpenSSH in
 the base system.  Please be aware of this when upgrading your
 OpenSSH port, and if truly necessary, re-enable remote root login

security/openssh-portable/pkg-plist

@@ -7,32 +7,22 @@ bin/ssh-add
 bin/ssh-agent
 bin/ssh-keygen
 bin/ssh-keyscan
-%%NOTBASE%%etc/rc.d/sshd.sh.sample
 %%NOTBASE%%etc/ssh/moduli
-%%NOTBASE%%@exec [ -f %D/etc/ssh_config ] && [ ! -f %D/etc/ssh/ssh_config ] && ln %D/etc/ssh_config %D/etc/ssh/ssh_config
-%%NOTBASE%%@exec [ -f %D/etc/sshd_config ] && [ ! -f %D/etc/ssh/sshd_config ] && ln %D/etc/sshd_config %D/etc/ssh/sshd_config
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key ] && [ ! -f %D/etc/ssh/ssh_host_key ] && ln %D/etc/ssh_host_key %D/etc/ssh/ssh_host_key
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_key.pub ] && ln %D/etc/ssh_host_key.pub %D/etc/ssh/ssh_host_key.pub
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key ] && ln %D/etc/ssh_host_rsa_key %D/etc/ssh/ssh_host_rsa_key
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key.pub ] && ln %D/etc/ssh_host_rsa_key.pub %D/etc/ssh/ssh_host_rsa_key.pub
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key ] && ln %D/etc/ssh_host_dsa_key %D/etc/ssh/ssh_host_dsa_key
-%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key.pub ] && ln %D/etc/ssh_host_dsa_key.pub %D/etc/ssh/ssh_host_dsa_key.pub
+%%NOTBASE%%@exec if [ -f %D/etc/ssh_config -a ! -f %D/etc/ssh/ssh_config ]; then ln %D/etc/ssh_config %D/etc/ssh/ssh_config ; fi
+%%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi
 %%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
 %%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
 %%NOTBASE%%etc/ssh/ssh_config-dist
 %%NOTBASE%%etc/ssh/sshd_config-dist
-%%NOTBASE%%@exec [ ! -f %D/etc/ssh/ssh_config ] && cp %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config
-%%NOTBASE%%@exec [ ! -f %D/etc/ssh/sshd_config ] && cp %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config
-%%NOTBASE%%@dirrm etc/ssh
+%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi
+%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi
+%%NOTBASE%%@dirrmtry etc/ssh
 sbin/sshd
 share/Ssh.bin
 libexec/sftp-server
 libexec/ssh-keysign
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_key ]; then echo ">> Generating a secret RSA1 host key."; %D/bin/ssh-keygen -t rsa1 -N "" -f %D/etc/ssh/ssh_host_key; fi
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_rsa_key ]; then echo ">> Generating a secret RSA host key."; %D/bin/ssh-keygen -t rsa -N "" -f %D/etc/ssh/ssh_host_rsa_key; fi
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_dsa_key ]; then echo ">> Generating a secret DSA host key."; %D/bin/ssh-keygen -t dsa -N "" -f %D/etc/ssh/ssh_host_dsa_key; fi
 %%NOTBASE%%@exec mkdir -p %D/empty
 %%NOTBASE%%@dirrm empty
-%%BASE%%@exec mkdir -p %%EMPTYDIR%%
+%%BASE%%@exec if [ ! -d %%EMPTYDIR%% ]; then mkdir -p %%EMPTYDIR%% ; fi
 @exec if ! pw groupshow sshd 2>/dev/null; then pw groupadd sshd -g 22; fi
 @exec if ! pw usershow sshd 2>/dev/null; then pw useradd sshd -g sshd -u 22 -h - -d %%EMPTYDIR%% -s /nonexistent -c "sshd privilege separation"; fi