Tue Jul 14 22:03:39 2015 UTC ()

Pullup ticket #4771 - requested by taca
security/openssh: security update

Revisions pulled up:
- security/openssh/Makefile                                     1.233
- security/openssh/distinfo                                     1.92-1.93
- security/openssh/options.mk                                   1.30
- security/openssh/patches/patch-Makefile.in                    1.4
- security/openssh/patches/patch-auth-passwd.c                  1.2
- security/openssh/patches/patch-auth-rhosts.c                  1.2
- security/openssh/patches/patch-auth.c                         1.3
- security/openssh/patches/patch-auth1.c                        1.3
- security/openssh/patches/patch-auth2.c                        1.4
- security/openssh/patches/patch-channels.c                     1.2
- security/openssh/patches/patch-clientloop.c                   1.2
- security/openssh/patches/patch-compat.c                       deleted
- security/openssh/patches/patch-config.h.in                    1.4
- security/openssh/patches/patch-configure                      deleted
- security/openssh/patches/patch-configure.ac                   1.4
- security/openssh/patches/patch-defines.h                      1.3
- security/openssh/patches/patch-includes.h                     1.3
- security/openssh/patches/patch-openbsd-compat_openbsd-compat.h 1.3
- security/openssh/patches/patch-openbsd-compat_port-tun.c      1.2
- security/openssh/patches/patch-platform.c                     1.4
- security/openssh/patches/patch-scp.c                          1.3
- security/openssh/patches/patch-session.c                      1.4
- security/openssh/patches/patch-ssh.c                          1.4
- security/openssh/patches/patch-sshconnect.c                   deleted
- security/openssh/patches/patch-sshd.8                         1.1
- security/openssh/patches/patch-sshd.c                         1.4
- security/openssh/patches/patch-sshpty.c                       1.2

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Jul  9 16:14:24 UTC 2015

   Modified Files:
   	pkgsrc/security/openssh: Makefile distinfo options.mk
   	pkgsrc/security/openssh/patches: patch-Makefile.in patch-auth-passwd.c
   	    patch-auth-rhosts.c patch-auth.c patch-auth1.c patch-auth2.c
   	    patch-channels.c patch-clientloop.c patch-config.h.in
   	    patch-configure.ac patch-defines.h patch-includes.h
   	    patch-openbsd-compat_openbsd-compat.h
   	    patch-openbsd-compat_port-tun.c patch-platform.c patch-scp.c
   	    patch-session.c patch-ssh.c patch-sshd.c patch-sshpty.c
   Added Files:
   	pkgsrc/security/openssh/patches: patch-sshd.8
   Removed Files:
   	pkgsrc/security/openssh/patches: patch-compat.c patch-configure
   	    patch-sshconnect.c

   Log Message:
   Update openssh to 6.9.1 (OpenSSH 6.9p1) which contains security fix.

   pkgsrc change:

   * tcp_wrappers support was removed from release 6.7, but add it refering
     FreeBSD's ports.
   * hpn-patch is also based on FreeBSD's ports.

   Security
   --------

    * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
      connections made after ForwardX11Timeout expired could be permitted
      and no longer subject to XSECURITY restrictions because of an
      ineffective timeout check in ssh(1) coupled with "fail open"
      behaviour in the X11 server when clients attempted connections with
      expired credentials. This problem was reported by Jann Horn.

    * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
      password guessing by implementing an increasing failure delay,
      storing a salted hash of the password rather than the password
      itself and using a timing-safe comparison function for verifying
      unlock attempts. This problem was reported by Ryan Castellucci.

   For more information, please refer release announce.

   	http://www.openssh.com/txt/release-6.9
   	http://www.openssh.com/txt/release-6.8
   	http://www.openssh.com/txt/release-6.7

---
   Module Name:	pkgsrc
   Committed By:	dsainty
   Date:		Fri Jul 10 07:00:29 UTC 2015

   Modified Files:
   	pkgsrc/security/openssh: distinfo

   Log Message:
   Remove dangling stale hash for patch-sshconnect.c


(tron)

--- pkgsrc/security/openssh/Makefile 2015/06/12 10:51:03 1.230
+++ pkgsrc/security/openssh/Makefile 2015/07/14 22:03:39 1.230.2.1

 @@ -1,33 +1,32 @@
-# $NetBSD: Makefile,v 1.230 2015/06/12 10:51:03 wiz Exp $
+# $NetBSD: Makefile,v 1.230.2.1 2015/07/14 22:03:39 tron Exp $
-DISTNAME=		openssh-6.6p1
+DISTNAME=		openssh-6.9p1
-PKGNAME=		openssh-6.6.1
+PKGNAME=		openssh-6.9.1
 PKGREVISION=		7
 CATEGORIES=		security
 MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.openssh.com/
 COMMENT=		Open Source Secure shell client and server (remote login program)
 CONFLICTS=		sftp-[0-9]*
 CONFLICTS+=		ssh-[0-9]* ssh6-[0-9]*
 CONFLICTS+=		ssh2-[0-9]* ssh2-nox11-[0-9]*
 CONFLICTS+=		openssh+gssapi-[0-9]*
 CONFLICTS+=		lsh>2.0
 USE_GCC_RUNTIME=	yes
-USE_TOOLS+=		perl
+USE_TOOLS+=		autoconf perl
 CRYPTO=			yes
 # retain the following line, for IPv6-ready pkgsrc webpage
 BUILD_DEFS+=		IPV6_READY
 PKG_GROUPS_VARS+=	OPENSSH_GROUP
 PKG_USERS_VARS+=	OPENSSH_USER
 BUILD_DEFS+=		OPENSSH_CHROOT
 BUILD_DEFS+=		VARBASE
 INSTALL_TARGET=		install-nokeys
 @@ -162,26 +161,29 @@ FILES_SUBST+=		SSH_PID_DIR=${SSH_PID_DIR
 SUBST_CLASSES+=		patch
 SUBST_STAGE.patch=	pre-configure
 SUBST_FILES.patch=	session.c
 SUBST_SED.patch=	-e '/channel_input_port_forward_request/s/0/ROOTUID/'
 SUBST_MESSAGE.patch=	More patch a file.
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../security/openssl/buildlink3.mk"
 .include "../../security/tcp_wrappers/buildlink3.mk"
+#
 # type of key "ecdsa" isn't always supported depends on OpenSSL.
+#
 pre-configure:
 	cd ${WRKSRC} && autoconf -i
 post-configure:
 	if ${EGREP} -q '^\#define[ 	]+OPENSSL_HAS_ECC' \
 	    ${WRKSRC}/config.h; then \
 		${SED} -e '/HAVE_ECDSA/s/.*//' \
 			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
 	else \
 		${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
 			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
 	fi
 post-install:
 	${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
 	cd ${WRKSRC}; for file in ${CONFS}; do				\

--- pkgsrc/security/openssh/distinfo 2015/05/16 14:43:02 1.91
+++ pkgsrc/security/openssh/distinfo 2015/07/14 22:03:39 1.91.2.1

 @@ -1,35 +1,33 @@
-$NetBSD: distinfo,v 1.91 2015/05/16 14:43:02 sevan Exp $
+$NetBSD: distinfo,v 1.91.2.1 2015/07/14 22:03:39 tron Exp $
-SHA1 (openssh-6.6p1-hpnssh14v4.diff.gz) = 1cb86c7151ea4c805cfb1197eac13844cd8f2f2c
+SHA1 (openssh-6.9p1-hpn-20150709.diff.gz) = a39571c1cdb13382631a1d9cfe89b82fb346c92c
-RMD160 (openssh-6.6p1-hpnssh14v4.diff.gz) = 292cea7880ff66040d915f2d5957dd27d0835984
+RMD160 (openssh-6.9p1-hpn-20150709.diff.gz) = 8bb077e7ecbc7550386a050209e84d6f4d895788
-Size (openssh-6.6p1-hpnssh14v4.diff.gz) = 23417 bytes
+Size (openssh-6.9p1-hpn-20150709.diff.gz) = 13370 bytes
-SHA1 (openssh-6.6p1.tar.gz) = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e
+SHA1 (openssh-6.9p1.tar.gz) = 86ab57f00d0fd9bf302760f2f6deac1b6e9df265
-RMD160 (openssh-6.6p1.tar.gz) = e19ed34e240001898b6665bb4356b868bba5513d
+RMD160 (openssh-6.9p1.tar.gz) = 4fb2f0a0280db51024bf72b0f5cd3912d25cb59a
-Size (openssh-6.6p1.tar.gz) = 1282502 bytes
+Size (openssh-6.9p1.tar.gz) = 1487617 bytes
-SHA1 (patch-Makefile.in) = 3b136be23e0dab21894dcc881746cf5a186ff572
+SHA1 (patch-Makefile.in) = 2bf52a85ecdebac3aa299b25ecb561218a3316a2
-SHA1 (patch-auth-passwd.c) = de9f5487fe1f5848cc702e549bce949fd75d70cd
+SHA1 (patch-auth-passwd.c) = 32da596dd9b255ffdd8168e6ea6f62596304b116
-SHA1 (patch-auth-rhosts.c) = ab8dd3e375accc5bed3e15b158a85a1b1f9a2e3e
+SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987
-SHA1 (patch-auth.c) = 950b0380bcbb0fa1681014cfbb41528d09a10a18
+SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450
-SHA1 (patch-auth1.c) = 7b0481f445bc85cce9d7539b00bf581b9aa09fea
+SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7
-SHA1 (patch-auth2.c) = 8f4f97516874fc4af5814cbd3a1f59b9ca77b43f
+SHA1 (patch-auth2.c) = 831139b9cdbd9b4d3429ea1aba176daf78be3405
-SHA1 (patch-channels.c) = 88af4136f13f93d73c70caacea0a2ded0601d1cf
+SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa
-SHA1 (patch-clientloop.c) = 499f34ce4e067f1da8aca257cfa7dd820efa3504
+SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e
-SHA1 (patch-compat.c) = 9248aace83134287c1f0b78f2b3b61ad5545f5e2
+SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219
-SHA1 (patch-config.h.in) = 9799f48f204aa213318914f1d6c45e83a8af942f
+SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea
-SHA1 (patch-configure) = 3015dda57a5626667cf5c15c7c7be25f8844cfc6
+SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02
-SHA1 (patch-configure.ac) = 996a3bcf133a0832b9d7fa35cc0983562d9fa60a
+SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d
 SHA1 (patch-defines.h) = 4f4f4c8dc54aa86275192edf230b36737b1c0cf6
 SHA1 (patch-includes.h) = 0a899d3b38ef3de7f5b08fec022696b4e998b54e
 SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce
 SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695
-SHA1 (patch-openbsd-compat_openbsd-compat.h) = 1cafbe8f226c16443d2cfd003166923f33352eb0
+SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9
-SHA1 (patch-openbsd-compat_port-tun.c) = 8288e2b9336ea1fcc1129d8a2ab5e55816b2ccbf
+SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5
-SHA1 (patch-platform.c) = c2f85f494f0a38ed9fea93c46c98b20d865610a0
+SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6
-SHA1 (patch-scp.c) = 97e33843cc1b93babb6c45225c07ac74555e6d54
+SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0
-SHA1 (patch-session.c) = 55e84175c7294816107c970f002401d1766f7095
+SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e
 SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd
-SHA1 (patch-ssh.c) = 8965e0458aabc137fa3b5e53c6573c0f0fba8280
+SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca
-SHA1 (patch-sshconnect.c) = 7bee56ee50ec26913999296eefa93c0be63a9e75
+SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15
-SHA1 (patch-sshd.c) = 43b3e4383142303a5d1158f08baee4a27f2f7b13
+SHA1 (patch-sshd.c) = f84fd4b4d299f75792f31d8967a1f9f6273ff06b
-SHA1 (patch-sshpty.c) = 9f08f899919d05567998087a060b90800c2c7b11
+SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a
 SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd

--- pkgsrc/security/openssh/options.mk 2014/03/29 10:30:15 1.29
+++ pkgsrc/security/openssh/options.mk 2015/07/14 22:03:39 1.29.12.1

 @@ -1,32 +1,32 @@
-# $NetBSD: options.mk,v 1.29 2014/03/29 10:30:15 taca Exp $
+# $NetBSD: options.mk,v 1.29.12.1 2015/07/14 22:03:39 tron Exp $
 .include "../../mk/bsd.prefs.mk"
 PKG_OPTIONS_VAR=	PKG_OPTIONS.openssh
 PKG_SUPPORTED_OPTIONS=	kerberos hpn-patch pam
 .include "../../mk/bsd.options.mk"
 .if !empty(PKG_OPTIONS:Mkerberos)
 .  include "../../mk/krb5.buildlink3.mk"
 CONFIGURE_ARGS+=	--with-kerberos5=${KRB5BASE:Q}
 .  if ${KRB5_TYPE} == "mit-krb5"
 CONFIGURE_ENV+=		ac_cv_search_k_hasafs=no
 .  endif
 .endif
 .if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=		openssh-6.6p1-hpnssh14v4.diff.gz
+PATCHFILES=		openssh-6.9p1-hpn-20150709.diff.gz
 PATCH_SITES=		ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
 PATCH_DIST_STRIP=	-p1
 .endif
 PLIST_VARS+=	pam
 .if !empty(PKG_OPTIONS:Mpam)
 .include "../../mk/pam.buildlink3.mk"
 CONFIGURE_ARGS+=	--with-pam
 MESSAGE_SRC+=		${.CURDIR}/MESSAGE.pam
 MESSAGE_SUBST+=		EGDIR=${EGDIR}
 .if ${OPSYS} == "Linux"
 PLIST.pam=	yes

--- pkgsrc/security/openssh/patches/patch-Makefile.in 2014/03/29 09:38:11 1.3
+++ pkgsrc/security/openssh/patches/patch-Makefile.in 2015/07/14 22:03:39 1.3.12.1

 @@ -1,27 +1,27 @@
-$NetBSD: patch-Makefile.in,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-Makefile.in,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $
 Removed install-sysconf as we handle that phase through post-install
---- Makefile.in.orig	2014-02-04 00:12:56.000000000 +0000
+--- Makefile.in.orig	2015-07-01 02:35:31.000000000 +0000
 +++ Makefile.in
 @@ -2,5 +2,5 @@
  # uncomment if you run a non bourne compatable shell. Ie. csh
 -#SHELL = @SH@
 +SHELL = @SH@
  AUTORECONF=autoreconf
 @@ -23,5 +23,5 @@ DESTDIR=
  VPATH=@srcdir@
  SSH_PROGRAM=@bindir@/ssh
 -ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
 +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-@@ -250,5 +250,5 @@ distprep: catman-do
+@@ -288,5 +288,5 @@ distprep: catman-do
  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
 -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
 +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
  install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files

--- pkgsrc/security/openssh/patches/Attic/patch-auth2.c 2014/03/29 09:38:11 1.3
+++ pkgsrc/security/openssh/patches/Attic/patch-auth2.c 2015/07/14 22:03:39 1.3.12.1

 @@ -1,15 +1,15 @@
-$NetBSD: patch-auth2.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-auth2.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $
 Replace uid 0 with ROOTUID macro
---- auth2.c.orig	2014-02-04 00:12:57.000000000 +0000
+--- auth2.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth2.c
-@@ -301,7 +301,7 @@ userauth_finish(Authctxt *authctxt, int
+@@ -302,7 +330,7 @@ userauth_finish(Authctxt *authctxt, int
  		fatal("INTERNAL ERROR: authenticated and postponed");
  	/* Special handling for root */
 -	if (authenticated && authctxt->pw->pw_uid == 0 &&
 +	if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
  	    !auth_root_allowed(method)) {
  		authenticated = 0;
  #ifdef SSH_AUDIT_EVENTS

--- pkgsrc/security/openssh/patches/patch-config.h.in 2014/03/29 09:38:11 1.3
+++ pkgsrc/security/openssh/patches/patch-config.h.in 2015/07/14 22:03:39 1.3.12.1

 @@ -1,26 +1,37 @@
-$NetBSD: patch-config.h.in,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-config.h.in,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $
-Added Interix and define new path to if_tun.h
+* Added Interix and define new path to if_tun.h.
 * Revive tcp_wrappers support.
---- config.h.in.orig	2014-03-13 02:18:56.000000000 +0000
+--- config.h.in.orig	2015-07-01 02:41:59.000000000 +0000
 +++ config.h.in
-@@ -636,6 +636,9 @@
+@@ -640,6 +640,9 @@
  /* define if you have int64_t data type */
  #undef HAVE_INT64_T
 +/* Define if you are on Interix */
 +#undef HAVE_INTERIX
++
  /* Define to 1 if the system has the type `intmax_t'. */
  #undef HAVE_INTMAX_T
-@@ -792,6 +795,9 @@
+@@ -799,6 +802,9 @@
  /* Define to 1 if you have the <net/if_tun.h> header file. */
  #undef HAVE_NET_IF_TUN_H
 +/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
 +#undef HAVE_NET_TUN_IF_TUN_H
++
  /* Define if you are on NeXT */
  #undef HAVE_NEXT
@@ -1394,6 +1400,9 @@
  /* Define if pututxline updates lastlog too */
  #undef LASTLOG_WRITE_PUTUTXLINE
 +/* Define if you want TCP Wrappers support */
 +#undef LIBWRAP
++
  /* Define to whatever link() returns for "not supported" if it doesn't return
     EOPNOTSUPP. */
  #undef LINK_OPNOTSUPP_ERRNO

--- pkgsrc/security/openssh/patches/patch-configure.ac 2014/03/29 09:38:11 1.3
+++ pkgsrc/security/openssh/patches/patch-configure.ac 2015/07/14 22:03:39 1.3.12.1

 @@ -1,69 +1,141 @@
-$NetBSD: patch-configure.ac,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-configure.ac,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $
-Various fixes regarding portability
+* Various fixes regarding portability
 * Revive tcp_wrappers support.
---- configure.ac.orig	2014-02-21 17:09:34.000000000 +0000
+--- configure.ac.orig	2015-07-01 02:35:31.000000000 +0000
 +++ configure.ac
-@@ -275,6 +275,9 @@ AC_ARG_WITH([rpath],
+@@ -316,6 +316,9 @@ AC_ARG_WITH([rpath],
+ 	]
+ )
 +# pkgsrc handles any rpath settings this package needs
 +need_dash_r=
++
  # Allow user to specify flags
  AC_ARG_WITH([cflags],
  	[  --with-cflags           Specify additional flags to pass to compiler],
-@@ -346,6 +349,7 @@ AC_CHECK_HEADERS([ \
+@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
  	maillock.h \
  	ndir.h \
  	net/if_tun.h \
 +	net/tun/if_tun.h \
  	netdb.h \
  	netgroup.h \
  	pam/pam_appl.h \
-@@ -655,6 +659,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -696,6 +700,15 @@ main() { if (NSVersionOfRunTimeLibrary("
  		;;
  	esac
  	;;
 +*-*-interix*)
 +        AC_DEFINE(HAVE_INTERIX)
 +        AC_DEFINE(DISABLE_FD_PASSING)
 +        AC_DEFINE(DISABLE_SHADOW)
 +        AC_DEFINE(IP_TOS_IS_BROKEN)
 +        AC_DEFINE(MISSING_HOWMANY)
 +        AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
 +        AC_DEFINE(USE_PIPES)
 +        ;;
  *-*-irix5*)
  	PATH="$PATH:/usr/etc"
  	AC_DEFINE([BROKEN_INET_NTOA], [1],
-@@ -4731,9 +4744,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -1424,6 +1437,62 @@ AC_ARG_WITH([skey],
+ 	]
+ )
 +# Check whether user wants TCP wrappers support
 +TCPW_MSG="no"
 +AC_ARG_WITH([tcp-wrappers],
 +	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
 +	[
 +		if test "x$withval" != "xno" ; then
 +			saved_LIBS="$LIBS"
 +			saved_LDFLAGS="$LDFLAGS"
 +			saved_CPPFLAGS="$CPPFLAGS"
 +			if test -n "${withval}" && \
 +			    test "x${withval}" != "xyes"; then
 +				if test -d "${withval}/lib"; then
 +					if test -n "${need_dash_r}"; then
 +						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
 +					else
 +						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
 +					fi
 +				else
 +					if test -n "${need_dash_r}"; then
 +						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
 +					else
 +						LDFLAGS="-L${withval} ${LDFLAGS}"
 +					fi
 +				fi
 +				if test -d "${withval}/include"; then
 +					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
 +				else
 +					CPPFLAGS="-I${withval} ${CPPFLAGS}"
 +				fi
 +			fi
 +			LIBS="-lwrap $LIBS"
 +			AC_MSG_CHECKING([for libwrap])
 +			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 +#include <sys/types.h>
 +#include <sys/socket.h>
 +#include <netinet/in.h>
 +#include <tcpd.h>
 +int deny_severity = 0, allow_severity = 0;
 +				]], [[
 +	hosts_access(0);
 +				]])], [
 +					AC_MSG_RESULT([yes])
 +					AC_DEFINE([LIBWRAP], [1],
 +						[Define if you want
 +						TCP Wrappers support])
 +					SSHDLIBS="$SSHDLIBS -lwrap"
 +					TCPW_MSG="yes"
 +				], [
 +					AC_MSG_ERROR([*** libwrap missing])
++
 +			])
 +			LIBS="$saved_LIBS"
 +		fi
 +	]
 +)
++
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
@@ -4791,9 +4860,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
  ])
  if test -z "$conf_wtmpx_location"; then
  	if test x"$system_wtmpx_path" = x"no" ; then
 -		AC_DEFINE([DISABLE_WTMPX])
 +		for f in /var/log/wtmpx; do
 +			if test -f $f ; then
 +				conf_wtmpx_location=$f
 +			fi
 +		done
 +		if test -z "$conf_wtmpx_location"; then
 +			AC_DEFINE(DISABLE_WTMPX)
 +		fi
  	fi
 -else
 +fi
 +if test -n "$conf_wtmpx_location"; then
  	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
  		[Define if you want to specify the path to your wtmpx file])
  fi
-@@ -4820,7 +4841,7 @@ echo "OpenSSH has been configured with t
+@@ -4880,7 +4957,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
 -echo "                   Askpass program: $E"
 +echo "                   Askpass program: ${ASKPASS_PROGRAM}"
  echo "                      Manual pages: $F"
  echo "                          PID file: $G"
  echo "  Privilege separation chroot path: $H"
@@ -4904,6 +4981,7 @@ echo "                 KerberosV support
  echo "                   SELinux support: $SELINUX_MSG"
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"

--- pkgsrc/security/openssh/patches/Attic/patch-platform.c 2014/03/29 09:38:11 1.3
+++ pkgsrc/security/openssh/patches/Attic/patch-platform.c 2015/07/14 22:03:39 1.3.12.1

 @@ -1,16 +1,16 @@
-$NetBSD: patch-platform.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-platform.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $
 Interix support
---- platform.c.orig	2014-01-21 01:59:29.000000000 +0000
+--- platform.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ platform.c
-@@ -89,7 +89,9 @@ platform_privileged_uidswap(void)
+@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
  	/* uid 0 is not special on Cygwin so always try */
  	return 1;
  #else
 +#if !defined(HAVE_INTERIX)
  	return (getuid() == 0 || geteuid() == 0);
 +#endif /* !HAVE_INTERIX */
  #endif
+ }

--- pkgsrc/security/openssh/patches/Attic/patch-session.c 2014/03/29 09:38:11 1.3
+++ pkgsrc/security/openssh/patches/Attic/patch-session.c 2015/07/14 22:03:39 1.3.12.1

 @@ -1,66 +1,66 @@
-$NetBSD: patch-session.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-session.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $
 Interix support
---- session.c.orig	2014-03-03 22:35:17.000000000 +0000
+--- session.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ session.c
-@@ -1109,7 +1109,7 @@ read_etc_default_login(char ***env, u_in
+@@ -1093,7 +1093,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
  		return;
 -	if (uid == 0)
 +	if (uid == ROOTUID)
  		var = child_get_env(tmpenv, "SUPATH");
  	else
  		var = child_get_env(tmpenv, "PATH");
-@@ -1218,7 +1218,7 @@ do_setup_env(Session *s, const char *she
+@@ -1202,7 +1202,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
  		if (path == NULL || *path == '\0') {
  			child_set_env(&env, &envsize, "PATH",
 -			    s->pw->pw_uid == 0 ?
 +			    s->pw->pw_uid == ROOTUID ?
  				SUPERUSER_PATH : _PATH_STDPATH);
+ 		}
  # endif /* HAVE_CYGWIN */
-@@ -1332,6 +1332,18 @@ do_setup_env(Session *s, const char *she
+@@ -1316,6 +1316,18 @@ do_setup_env(Session *s, const char *she
  		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
  		read_environment_file(&env, &envsize, buf);
+ 	}
++
 +#ifdef HAVE_INTERIX
 +	{
 +		/* copy standard Windows environment, then apply changes */
 +		env_t *winenv = env_login(pw);
 +		env_putarray(winenv, env, ENV_OVERRIDE);
++
 +		/* swap over to altered environment as a traditional array */
 +		env = env_array(winenv);
 +	}
 +#endif
++
  	if (debug_flag) {
  		/* dump the environment */
  		fprintf(stderr, "Environment:\n");
-@@ -1522,11 +1534,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1510,11 +1522,13 @@ do_setusercontext(struct passwd *pw)
  			perror("setgid");
  			exit(1);
+ 		}
 +# if !defined(HAVE_INTERIX)
  		/* Initialize the group list. */
  		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
  			perror("initgroups");
  			exit(1);
+ 		}
 +# endif /* !HAVE_INTERIX */
  		endgrent();
  #endif
-@@ -2358,7 +2372,7 @@ session_pty_cleanup2(Session *s)
+@@ -2356,7 +2370,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  	/* Release the pseudo-tty. */
 -	if (getuid() == 0)
 +	if (getuid() == ROOTUID)
  		pty_release(s->tty);
  	/*

--- pkgsrc/security/openssh/patches/Attic/patch-ssh.c 2014/03/29 09:38:11 1.3
+++ pkgsrc/security/openssh/patches/Attic/patch-ssh.c 2015/07/14 22:03:39 1.3.12.1

 @@ -1,15 +1,15 @@
-$NetBSD: patch-ssh.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-ssh.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $
 Interix support
---- ssh.c.orig	2014-02-26 23:17:13.000000000 +0000
+--- ssh.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ ssh.c
-@@ -943,7 +943,7 @@ main(int ac, char **av)
+@@ -1083,7 +1083,7 @@ main(int ac, char **av)
- 	    strcmp(options.proxy_command, "-") == 0 &&
+ 		    "disabling");
- 	    options.proxy_use_fdpass)
+ 		options.update_hostkeys = 0;
  		fatal("ProxyCommand=- and ProxyUseFDPass are incompatible");
 -#ifndef HAVE_CYGWIN
 +#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX)
  	if (original_effective_uid != 0)
  		options.use_privileged_port = 0;
  #endif

--- pkgsrc/security/openssh/patches/patch-sshd.c 2014/03/29 09:38:11 1.3
+++ pkgsrc/security/openssh/patches/patch-sshd.c 2015/07/14 22:03:39 1.3.12.1

 @@ -1,84 +1,125 @@
-$NetBSD: patch-sshd.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $
-Interix support
+* Interix support
 * Revive tcp_wrappers support.
---- sshd.c.orig	2014-02-26 23:20:08.000000000 +0000
+--- sshd.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ sshd.c
-@@ -243,7 +243,11 @@ int *startup_pipes = NULL;
+@@ -125,6 +125,13 @@
  #include "version.h"
  #include "ssherr.h"
 +#ifdef LIBWRAP
 +#include <tcpd.h>
 +#include <syslog.h>
 +int allow_severity;
 +int deny_severity;
 +#endif /* LIBWRAP */
++
  #ifndef O_NOCTTY
  #define O_NOCTTY	0
  #endif
@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
  int startup_pipe;		/* in child */
  /* variables used for privilege separation */
 +#ifdef HAVE_INTERIX
  int use_privsep = -1;
 +#else
 +int use_privsep = 0;
 +#endif
  struct monitor *pmonitor = NULL;
  int privsep_is_preauth = 1;
-@@ -646,10 +650,15 @@ privsep_preauth_child(void)
+@@ -643,10 +654,15 @@ privsep_preauth_child(void)
  	/* XXX not ready, too heavy after chroot */
  	do_setusercontext(privsep_pw);
  #else
 +#ifdef HAVE_INTERIX
 +	if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
 +		fatal("setuser: %.100s", strerror(errno));
 +#else
  	gidset[0] = privsep_pw->pw_gid;
  	if (setgroups(1, gidset) < 0)
  		fatal("setgroups: %.100s", strerror(errno));
  	permanently_set_uid(privsep_pw);
 +#endif /* HAVE_INTERIX */
  #endif
+ }
-@@ -711,7 +720,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -714,7 +730,7 @@ privsep_preauth(Authctxt *authctxt)
  		set_log_handler(mm_log_handler, pmonitor);
  		/* Demote the child */
 -		if (getuid() == 0 || geteuid() == 0)
 +		if (getuid() == ROOTUID || geteuid() == ROOTUID)
  			privsep_preauth_child();
  		setproctitle("%s", "[net]");
  		if (box != NULL)
-@@ -729,7 +738,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -732,7 +748,7 @@ privsep_postauth(Authctxt *authctxt)
  #ifdef DISABLE_FD_PASSING
  	if (1) {
  #else
 -	if (authctxt->pw->pw_uid == 0 || options.use_login) {
 +	if (authctxt->pw->pw_uid == ROOTUID || options.use_login) {
  #endif
  		/* File descriptor passing is broken or root login */
  		use_privsep = 0;
-@@ -1413,8 +1422,10 @@ main(int ac, char **av)
+@@ -1485,8 +1501,10 @@ main(int ac, char **av)
  	av = saved_argv;
  #endif
 -	if (geteuid() == 0 && setgroups(0, NULL) == -1)
 +#ifndef HAVE_INTERIX
 +	if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
  		debug("setgroups(): %.200s", strerror(errno));
 +#endif
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
-@@ -1815,7 +1826,7 @@ main(int ac, char **av)
+@@ -1915,7 +1933,7 @@ main(int ac, char **av)
  		    (st.st_uid != getuid () ||
  		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
  #else
 -		if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
 +		if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
  #endif
  			fatal("%s must be owned by root and not group or "
  			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1838,8 +1849,10 @@ main(int ac, char **av)
+@@ -1938,8 +1956,10 @@ main(int ac, char **av)
  	 * to create a file, and we can't control the code in every
  	 * module which might be used).
  	 */
 +#ifndef HAVE_INTERIX
  	if (setgroups(0, NULL) < 0)
  		debug("setgroups() failed: %.200s", strerror(errno));
 +#endif
  	if (rexec_flag) {
  		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
@@ -2135,6 +2155,25 @@ main(int ac, char **av)
  	audit_connection_from(remote_ip, remote_port);
  #endif
 +#ifdef LIBWRAP
 +	allow_severity = options.log_facility|LOG_INFO;
 +	deny_severity = options.log_facility|LOG_WARNING;
 +	/* Check whether logins are denied from this host. */
 +	if (packet_connection_is_on_socket()) {
 +		struct request_info req;
++
 +		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
 +		fromhost(&req);
++
 +		if (!hosts_access(&req)) {
 +			debug("Connection refused by tcp wrapper");
 +			refuse(&req);
 +			/* NOTREACHED */
 +			fatal("libwrap refuse returns");
 +		}
 +	}
 +#endif /* LIBWRAP */
++
  	/* Log the connection. */
  	laddr = get_local_ipaddr(sock_in);
  	verbose("Connection from %s port %d on %s port %d",

--- pkgsrc/security/openssh/patches/Attic/patch-auth-passwd.c 2013/05/01 19:58:26 1.1
+++ pkgsrc/security/openssh/patches/Attic/patch-auth-passwd.c 2015/07/14 22:03:39 1.1.18.1

 @@ -1,28 +1,28 @@
-$NetBSD: patch-auth-passwd.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-auth-passwd.c,v 1.1.18.1 2015/07/14 22:03:39 tron Exp $
 Replace uid 0 with ROOTUID macro
---- auth-passwd.c.orig	2012-04-25 23:51:28.000000000 +0000
+--- auth-passwd.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth-passwd.c
-@@ -87,7 +87,7 @@ auth_password(Authctxt *authctxt, const
+@@ -88,7 +88,7 @@ auth_password(Authctxt *authctxt, const
  #endif
  #ifndef HAVE_CYGWIN
 -	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
 +	if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
  		ok = 0;
  #endif
  	if (*password == '\0' && options.permit_empty_passwd == 0)
-@@ -122,7 +122,12 @@ auth_password(Authctxt *authctxt, const
+@@ -123,7 +123,12 @@ auth_password(Authctxt *authctxt, const
  			authctxt->force_pwchange = 1;
+ 	}
  #endif
++
 +#ifdef HAVE_INTERIX
 +        result = (!setuser(pw->pw_name, password, SU_CHECK));
 +#else
  	result = sys_auth_passwd(authctxt, password);
 +#endif
  	if (authctxt->force_pwchange)
  		disable_forwarding();
  	return (result && ok);

--- pkgsrc/security/openssh/patches/Attic/patch-auth-rhosts.c 2013/05/01 19:58:26 1.1
+++ pkgsrc/security/openssh/patches/Attic/patch-auth-rhosts.c 2015/07/14 22:03:39 1.1.18.1

 @@ -1,33 +1,33 @@
-$NetBSD: patch-auth-rhosts.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-auth-rhosts.c,v 1.1.18.1 2015/07/14 22:03:39 tron Exp $
 Replace uid 0 with ROOTUID macro
---- auth-rhosts.c.orig	2010-03-07 12:05:17.000000000 +0000
+--- auth-rhosts.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth-rhosts.c
-@@ -230,7 +230,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
- 		return 0;
+ 	 * If not logging in as superuser, try /etc/hosts.equiv and
  	 * shosts.equiv.
- 	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
+ 	 */
--	if (pw->pw_uid != 0) {
+-	if (pw->pw_uid == 0)
-+	if (pw->pw_uid != ROOTUID) {
++	if (pw->pw_uid == ROOTUID)
  		debug3("%s: root user, ignoring system hosts files", __func__);
  	else {
  		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
- 		    client_user, pw->pw_name)) {
+@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  			auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
@@ -256,7 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  		return 0;
+ 	}
  	if (options.strict_modes &&
 -	    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
 +	    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
  	    (st.st_mode & 022) != 0)) {
  		logit("Rhosts authentication refused for %.100s: "
  		    "bad ownership or modes for home directory.", pw->pw_name);
-@@ -283,7 +283,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  		 * allowing access to their account by anyone.
  		 */
  		if (options.strict_modes &&
 -		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
 +		    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
  		    (st.st_mode & 022) != 0)) {
  			logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
  			    pw->pw_name, buf);

--- pkgsrc/security/openssh/patches/Attic/patch-openbsd-compat_port-tun.c 2013/05/01 19:58:26 1.1
+++ pkgsrc/security/openssh/patches/Attic/patch-openbsd-compat_port-tun.c 2015/07/14 22:03:39 1.1.18.1

 @@ -1,17 +1,40 @@
-$NetBSD: patch-openbsd-compat_port-tun.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.1.18.1 2015/07/14 22:03:39 tron Exp $
 if_tun.h can be found in net/tun
---- openbsd-compat/port-tun.c.orig	2010-08-10 02:47:42.000000000 +0000
+--- openbsd-compat/port-tun.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ openbsd-compat/port-tun.c
-@@ -110,6 +110,10 @@ sys_tun_open(int tun, int mode)
+@@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode)
  #include <sys/socket.h>
  #include <net/if.h>
 +#ifdef HAVE_NET_TUN_IF_TUN_H
 +#include <net/tun/if_tun.h>
 +#endif
++
  #ifdef HAVE_NET_IF_TUN_H
  #include <net/if_tun.h>
  #endif
@@ -120,7 +124,10 @@ sys_tun_open(int tun, int mode)
+ {
  	struct ifreq ifr;
  	char name[100];
 -	int fd = -1, sock, flag;
 +	int fd = -1, sock;
 +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
 +	int flag;
 +#endif
  	const char *tunbase = "tun";
  	if (mode == SSH_TUNMODE_ETHERNET) {
@@ -154,9 +161,9 @@ sys_tun_open(int tun, int mode)
  		return (-1);
+ 	}
 +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
  	/* Turn on tunnel headers */
  	flag = 1;
 -#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
  	if (mode != SSH_TUNMODE_ETHERNET &&
  	    ioctl(fd, TUNSIFHEAD, &flag) == -1) {
  		debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,

--- pkgsrc/security/openssh/patches/Attic/patch-sshpty.c 2013/05/01 19:58:27 1.1
+++ pkgsrc/security/openssh/patches/Attic/patch-sshpty.c 2015/07/14 22:03:39 1.1.18.1

 @@ -1,24 +1,24 @@
-$NetBSD: patch-sshpty.c,v 1.1 2013/05/01 19:58:27 imil Exp $
+$NetBSD: patch-sshpty.c,v 1.1.18.1 2015/07/14 22:03:39 tron Exp $
 Replace uid 0 with ROOTUID macro
---- sshpty.c.orig	2009-02-12 01:19:21.000000000 +0000
+--- sshpty.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ sshpty.c
 @@ -86,7 +86,7 @@ void
  pty_release(const char *tty)
+ {
- #ifndef __APPLE_PRIVPTY__
+ #if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
 -	if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
 +	if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
  		error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
  	if (chmod(tty, (mode_t) 0666) < 0)
  		error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
-@@ -233,7 +233,7 @@ pty_setowner(struct passwd *pw, const ch
+@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
  	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
  		if (chown(tty, pw->pw_uid, gid) < 0) {
  			if (errno == EROFS &&
 -			    (st.st_uid == pw->pw_uid || st.st_uid == 0))
 +			    (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
  				debug("chown(%.100s, %u, %u) failed: %.100s",
  				    tty, (u_int)pw->pw_uid, (u_int)gid,
  				    strerror(errno));

--- pkgsrc/security/openssh/patches/Attic/patch-auth.c 2013/12/01 06:11:41 1.2
+++ pkgsrc/security/openssh/patches/Attic/patch-auth.c 2015/07/14 22:03:39 1.2.14.1

 @@ -1,15 +1,27 @@
-$NetBSD: patch-auth.c,v 1.2 2013/12/01 06:11:41 taca Exp $
+$NetBSD: patch-auth.c,v 1.2.14.1 2015/07/14 22:03:39 tron Exp $
-Replace uid 0 with ROOTUID macro
+* Replace uid 0 with ROOTUID macro.
 * Use login_getpwclass() instead of login_getclass() so that the root
   vs. default login class distinction is made correctly, from FrrrBSD's
   ports.
---- auth.c.orig	2013-06-01 21:41:51.000000000 +0000
+--- auth.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth.c
-@@ -407,7 +407,7 @@ check_key_in_hostfiles(struct passwd *pw
+@@ -422,7 +422,7 @@ check_key_in_hostfiles(struct passwd *pw
  		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
  		if (options.strict_modes &&
  		    (stat(user_hostfile, &st) == 0) &&
 -		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
 +		    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
  		    (st.st_mode & 022) != 0)) {
  			logit("Authentication refused for %.100s: "
  			    "bad owner or modes for %.200s",
@@ -651,7 +651,7 @@ getpwnamallow(const char *user)
  	if (!allowed_user(pw))
  		return (NULL);
  #ifdef HAVE_LOGIN_CAP
 -	if ((lc = login_getclass(pw->pw_class)) == NULL) {
 +	if ((lc = login_getpwclass(pw)) == NULL) {
  		debug("unable to get login class: %s", user);
  		return (NULL);
+ 	}

--- pkgsrc/security/openssh/patches/Attic/patch-auth1.c 2013/12/01 06:11:41 1.2
+++ pkgsrc/security/openssh/patches/Attic/patch-auth1.c 2015/07/14 22:03:39 1.2.14.1

 @@ -1,26 +1,26 @@
-$NetBSD: patch-auth1.c,v 1.2 2013/12/01 06:11:41 taca Exp $
+$NetBSD: patch-auth1.c,v 1.2.14.1 2015/07/14 22:03:39 tron Exp $
 Replace uid 0 with ROOTUID macro
---- auth1.c.orig	2013-06-01 22:01:24.000000000 +0000
+--- auth1.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth1.c
-@@ -319,7 +319,7 @@ do_authloop(Authctxt *authctxt)
+@@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt)
  #ifndef HAVE_CYGWIN
  		/* Special handling for root */
 -		if (authenticated && authctxt->pw->pw_uid == 0 &&
 +		if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
  		    !auth_root_allowed(meth->name)) {
   			authenticated = 0;
  # ifdef SSH_AUDIT_EVENTS
-@@ -420,8 +420,8 @@ do_authentication(Authctxt *authctxt)
+@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt)
  	 * If we are not running as root, the user must have the same uid as
  	 * the server.
  	 */
 -#ifndef HAVE_CYGWIN
 -	if (!use_privsep && getuid() != 0 && authctxt->pw &&
 +#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
 +	if (!use_privsep && getuid() != ROOTUID && authctxt->pw &&
  	    authctxt->pw->pw_uid != getuid())
  		packet_disconnect("Cannot change user when server not running as root.");
  #endif

--- pkgsrc/security/openssh/patches/Attic/patch-includes.h 2013/12/01 06:11:41 1.2
+++ pkgsrc/security/openssh/patches/Attic/patch-includes.h 2015/07/14 22:03:39 1.2.14.1

 @@ -1,17 +1,17 @@
-$NetBSD: patch-includes.h,v 1.2 2013/12/01 06:11:41 taca Exp $
+$NetBSD: patch-includes.h,v 1.2.14.1 2015/07/14 22:03:39 tron Exp $
 Interix support
---- includes.h.orig	2013-03-22 01:51:09.000000000 +0000
+--- includes.h.orig	2015-07-01 02:35:31.000000000 +0000
 +++ includes.h
-@@ -126,6 +126,10 @@
+@@ -127,6 +127,10 @@
  #ifdef HAVE_READPASSPHRASE_H
  # include <readpassphrase.h>
  #endif
 +#ifdef HAVE_INTERIX
 +# include <interix/env.h>
 +# include <interix/security.h>
 +#endif
  #ifdef HAVE_IA_H
  # include <ia.h>

--- pkgsrc/security/openssh/patches/Attic/patch-scp.c 2013/12/01 06:11:41 1.2
+++ pkgsrc/security/openssh/patches/Attic/patch-scp.c 2015/07/14 22:03:39 1.2.14.1

 @@ -1,39 +1,39 @@
-$NetBSD: patch-scp.c,v 1.2 2013/12/01 06:11:41 taca Exp $
+$NetBSD: patch-scp.c,v 1.2.14.1 2015/07/14 22:03:39 tron Exp $
 Interix support
---- scp.c.orig	2013-07-18 06:11:25.000000000 +0000
+--- scp.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ scp.c
-@@ -477,7 +477,11 @@ main(int argc, char **argv)
+@@ -478,7 +478,11 @@ main(int argc, char **argv)
  	argc -= optind;
  	argv += optind;
 +#ifdef HAVE_INTERIX
 +	if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
 +#else
  	if ((pwd = getpwuid(userid = getuid())) == NULL)
 +#endif
  		fatal("unknown user %u", (u_int) userid);
  	if (!isatty(STDOUT_FILENO))
-@@ -881,8 +885,10 @@ rsource(char *name, struct stat *statp)
+@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
  		return;
+ 	}
  	while ((dp = readdir(dirp)) != NULL) {
 +#ifndef HAVE_INTERIX
  		if (dp->d_ino == 0)
  			continue;
 +#endif
  		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
  			continue;
  		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
-@@ -1292,7 +1298,9 @@ okname(char *cp0)
+@@ -1297,7 +1303,9 @@ okname(char *cp0)
  			case '\'':
  			case '"':
  			case '`':
 +#ifndef HAVE_INTERIX
  			case ' ':
 +#endif
  			case '#':
  				goto bad;
  			default:

--- pkgsrc/security/openssh/patches/Attic/patch-channels.c 2015/03/19 20:23:55 1.1
+++ pkgsrc/security/openssh/patches/Attic/patch-channels.c 2015/07/14 22:03:39 1.1.4.1

 @@ -1,22 +1,22 @@
-$NetBSD: patch-channels.c,v 1.1 2015/03/19 20:23:55 tron Exp $
+$NetBSD: patch-channels.c,v 1.1.4.1 2015/07/14 22:03:39 tron Exp $
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
---- channels.c.orig	2014-02-26 23:18:33.000000000 +0000
+--- channels.c.orig	2015-07-01 02:35:31.000000000 +0000
-+++ channels.c	2015-03-19 20:16:04.000000000 +0000
++++ channels.c
-@@ -3576,15 +3576,35 @@
+@@ -4037,15 +4037,35 @@ x11_connect_display(void)
  	 * connection to the real X server.
  	 */
 -	/* Check if the display is from launchd. */
  #ifdef __APPLE__
 -	if (strncmp(display, "/tmp/launch", 11) == 0) {
 -		sock = connect_local_xsocket_path(display);
 -		if (sock < 0)
 -			return -1;
 +	/* Check if the display is a path to a socket (as set by launchd). */
 +	{
 +		char path[PATH_MAX];
 +		struct stat sbuf;

--- pkgsrc/security/openssh/patches/patch-clientloop.c 2015/03/19 20:23:55 1.1
+++ pkgsrc/security/openssh/patches/patch-clientloop.c 2015/07/14 22:03:39 1.1.4.1

 @@ -1,33 +1,33 @@
-$NetBSD: patch-clientloop.c,v 1.1 2015/03/19 20:23:55 tron Exp $
+$NetBSD: patch-clientloop.c,v 1.1.4.1 2015/07/14 22:03:39 tron Exp $
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
---- clientloop.c.orig	2014-02-04 00:20:15.000000000 +0000
+--- clientloop.c.orig	2015-07-01 02:35:31.000000000 +0000
-+++ clientloop.c	2015-03-19 20:16:04.000000000 +0000
++++ clientloop.c
-@@ -313,6 +313,10 @@
+@@ -314,6 +314,10 @@ client_x11_get_proto(const char *display
  	struct stat st;
- 	u_int now;
+ 	u_int now, x11_timeout_real;
 +#if __APPLE__
 +	int is_path_to_socket = 0;
 +#endif /* __APPLE__ */
++
  	xauthdir = xauthfile = NULL;
  	*_proto = proto;
  	*_data = data;
-@@ -328,6 +332,33 @@
+@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display
  			debug("x11_get_proto: DISPLAY not set");
  			return;
+ 		}
 +#if __APPLE__
 +		{
 +			/*
 +			 * If using launchd socket, remove the screen number from the end
 +			 * of $DISPLAY. is_path_to_socket is used later in this function
 +			 * to determine if an error should be displayed.
 +			 */
 +			char path[PATH_MAX];
 +			struct stat sbuf;
++
 @@ -41,23 +41,23 @@ https://trac.macports.org/browser/trunk/
 +					/* screen = atoi(dot + 1); */
 +					if (0 == stat(path, &sbuf)) {
 +						is_path_to_socket = 1;
 +						debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
 +						setenv("DISPLAY", path, 1);
 +					}
 +				}
 +			}
 +		}
 +#endif /* __APPLE__ */
  		/*
  		 * Handle FamilyLocal case where $DISPLAY does
  		 * not match an authorization entry.  For this we
-@@ -407,6 +438,9 @@
+@@ -420,6 +451,9 @@ client_x11_get_proto(const char *display
  	if (!got_data) {
  		u_int32_t rnd = 0;
 +#if __APPLE__
 +		if (!is_path_to_socket)
 +#endif /* __APPLE__ */
  		logit("Warning: No xauth data; "
  		    "using fake authentication data for X11 forwarding.");
  		strlcpy(proto, SSH_X11_PROTO, sizeof proto);

--- pkgsrc/security/openssh/patches/patch-defines.h 2014/03/29 09:38:11 1.2
+++ pkgsrc/security/openssh/patches/patch-defines.h 2015/07/14 22:03:39 1.2.12.1

 @@ -1,36 +1,36 @@
-$NetBSD: patch-defines.h,v 1.2 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-defines.h,v 1.2.12.1 2015/07/14 22:03:39 tron Exp $
 Define ROOTUID, UTMPX_FILE and WTMPX_FILE
---- defines.h.orig	2014-01-17 13:12:38.000000000 +0000
+--- defines.h.orig	2015-07-01 02:35:31.000000000 +0000
 +++ defines.h
 @@ -30,6 +30,15 @@
  /* Constants */
 +#ifdef HAVE_INTERIX
 +/* Interix has a special concept of "administrator". */
 +# define ROOTUID	197108
 +# define ROOTGID	131616
 +#else
 +# define ROOTUID	0
 +# define ROOTGID	0
 +#endif
++
  #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
  enum
+ {
-@@ -708,6 +717,24 @@ struct winsize {
+@@ -721,6 +730,24 @@ struct winsize {
  #    endif
  #  endif
  #endif
 +#ifndef UTMPX_FILE
 +#  ifdef _PATH_UTMPX
 +#    define UTMPX_FILE _PATH_UTMPX
 +#  else
 +#    ifdef CONF_UTMPX_FILE
 +#      define UTMPX_FILE CONF_UTMPX_FILE
 +#    endif
 +#  endif
 +#endif
 +#ifndef WTMPX_FILE

--- pkgsrc/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h 2014/03/29 09:38:11 1.2
+++ pkgsrc/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h 2015/07/14 22:03:39 1.2.12.1

 @@ -1,17 +1,17 @@
-$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.2 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.2.12.1 2015/07/14 22:03:39 tron Exp $
 strtoll() declaration
---- openbsd-compat/openbsd-compat.h.orig	2014-02-04 00:18:23.000000000 +0000
+--- openbsd-compat/openbsd-compat.h.orig	2015-07-01 02:35:31.000000000 +0000
 +++ openbsd-compat/openbsd-compat.h
-@@ -84,6 +84,10 @@ size_t strlcat(char *dst, const char *sr
+@@ -91,6 +91,10 @@ size_t strlcat(char *dst, const char *sr
  int setenv(register const char *name, register const char *value, int rewrite);
  #endif
 +#ifndef HAVE_STRTOLL
 +long long strtoll(const char *, char **, int);
 +#endif
++
  #ifndef HAVE_STRMODE
  void strmode(int mode, char *p);
  #endif

$NetBSD: patch-sshd.8,v 1.1.2.2 2015/07/14 22:03:39 tron Exp $

* Revive tcp_wrappers support.

--- sshd.8.orig	2015-07-01 02:35:31.000000000 +0000
+++ sshd.8
@@ -853,6 +853,12 @@ the user's home directory becomes access
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -956,6 +962,7 @@ The content of this file is not sensitiv
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,