summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--net-misc/openssh/Manifest23
-rw-r--r--net-misc/openssh/files/openssh-4.4_p1-ldap-hpn-glue.patch54
-rw-r--r--net-misc/openssh/files/openssh-4.5_p1-padlock.diff35
-rw-r--r--net-misc/openssh/files/openssh-4.7_p1-CVE-2008-1483.patch16
-rw-r--r--net-misc/openssh/files/openssh-4.7_p1-ForceCommand.patch24
-rw-r--r--net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch127
-rw-r--r--net-misc/openssh/files/openssh-4.7_p1-engines.patch140
-rw-r--r--net-misc/openssh/files/openssh-4.7_p1-lpk-64bit.patch45
-rw-r--r--net-misc/openssh/files/openssh-4.7_p1-packet-size.patch30
-rw-r--r--net-misc/openssh/files/openssh-4.7p1-selinux.diff11
-rw-r--r--net-misc/openssh/files/openssh-5.2_p1-BJA-ldap-stdargs.diff10
-rw-r--r--net-misc/openssh/files/openssh_4.7p1-blacklist.patch969
-rw-r--r--net-misc/openssh/files/sshd.confd21
-rw-r--r--net-misc/openssh/files/sshd.pam9
-rw-r--r--net-misc/openssh/files/sshd.pam_include8
-rw-r--r--net-misc/openssh/files/sshd.pam_include.18
-rw-r--r--net-misc/openssh/files/sshd.pam_include.24
-rw-r--r--net-misc/openssh/files/sshd.rc680
-rw-r--r--net-misc/openssh/openssh-5.2_p1-r1.ebuild224
19 files changed, 0 insertions, 1838 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
deleted file mode 100644
index 3d8dbb29..00000000
--- a/net-misc/openssh/Manifest
+++ /dev/null
@@ -1,23 +0,0 @@
-AUX openssh-4.4_p1-ldap-hpn-glue.patch 1538 RMD160 eba0400a328f23b9329429d2da65b80ead546d4d SHA1 7190e861e8be4f03ae42ad43ba1770fdca95d46a SHA256 63e9f729fbb40babdf5cd2b4d87f4d1cb5a9aaed60bf7a8c072c22f9a6fb36ab
-AUX openssh-4.5_p1-padlock.diff 1671 RMD160 39ba64e4395e26f6fa9a32ebd89e7524f3bda2a1 SHA1 ee46ce71be4a0a925a6c01889988bc6b014fc46f SHA256 ce6c2150522de13ba9f044810d80b4076eecced629182b893798d66a7dc68dc5
-AUX openssh-4.7_p1-CVE-2008-1483.patch 338 RMD160 b47fd4d07ae38c42a62c1abc740ff5477ef8fa53 SHA1 a77143c5203ce042d586bf4ecbcb1478016b03a5 SHA256 a9aa1c2ae2eae1b3cc54237aabdb5f2e9e74313d4c0b7151889002fd7950a9dc
-AUX openssh-4.7_p1-ForceCommand.patch 939 RMD160 c1f8481d4f5afdf75f17472f7960e7043df336b7 SHA1 35398fa295ae4075d88ae830d09fbdc380802e26 SHA256 ac90408bf2d5fc9c008f13de560ab0e72428593b198df3bd30f257ee221d0e6a
-AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 RMD160 4e02e0a85c0e33c917ec8c22b4e1c173a9d7d79e SHA1 d8a81eb92a49763106cfa5b319c22c6f188508ef SHA256 88a08f349258d4be5b2faa838a89fe1aa0196502990b745ac0e3a70dda30a0d7
-AUX openssh-4.7_p1-engines.patch 4202 RMD160 33648508fc66d422eaea17ff5ed756ceb641083e SHA1 9b63b26544c13655ee60148f90e86b26085d61fd SHA256 0258978c9093a266d7db96c3203b7ed8b68437d0a5ce3378d6a1144f8a1e36d9
-AUX openssh-4.7_p1-lpk-64bit.patch 1096 RMD160 566e48f34b44add23e3d46456e54d6d3a453cac1 SHA1 83704313a423be33f9ac62499908b5da95c0d8f4 SHA256 442bb358ebeceaead8fd8a84c7c041f2bf7fb11ab623d74a902febeeb582903d
-AUX openssh-4.7_p1-packet-size.patch 1130 RMD160 b604b500747f5b53c9ddc3950adfaca9af54cfff SHA1 ba13a01dceb5aadfa646c23b675b74b14123c68f SHA256 8d0c89ae533366d3f7808274eb4a46c969a51011d7c25e167e22a476d6b2f168
-AUX openssh-4.7p1-selinux.diff 541 RMD160 bcb8f1fef2ae8378e7000732223c6116e06e0d6f SHA1 395b4dcff3eb7b92582a4364e612fff87278e7bc SHA256 ef8d71c46059bdcc8487cad06914639a8237197561cc030d8eed3baf418cc810
-AUX openssh-5.2_p1-BJA-ldap-stdargs.diff 251 RMD160 b4b7fef4db654feb27d3752b3ba229097e663300 SHA1 a60afd12e1832e38d3ea37ee60779bda6dec5da8 SHA256 321a458d02e87d0928d254409c9452295f853f199f2a238a3e1fe0853199f243
-AUX openssh_4.7p1-blacklist.patch 29059 RMD160 0bd01594f8174ebd8e55ffc56cfe9de09137509b SHA1 6057cfa1e4357f7b116149a793824902fa37efa6 SHA256 37d05f2f5957d121d00219f2fb79089d1e4488232e16e0fded9f4403d9b05c2c
-AUX sshd.confd 396 RMD160 029680b2281961130a815ef599750c4fc4e84987 SHA1 23c283d0967944b6125be26ed4628f49abf586b2 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41
-AUX sshd.pam 294 RMD160 1d4499a7de54188e51e87a240ec7a1b3b1af583d SHA1 4cd17fb40793fa9ca77ac93698129f2c8cafd7b8 SHA256 f01cc51c624b21a815fb6c0be35edc590e2e6f8a5ffbdcabc220a9630517972f
-AUX sshd.pam_include 205 RMD160 6b20ea83c69ef613d75daf43515aaec88d4cd815 SHA1 122472d859c24f7c776bb10fbfcb0221146ed056 SHA256 8d59135e96f4eff6b80c143b82cced7beb0bbca19ff91b479f1ba92916243d5e
-AUX sshd.pam_include.1 205 RMD160 3051b92836a496c7c431f41585de688f7c9f51a7 SHA1 b9eca146fcea016b7146f1ac11cf3d072d887b27 SHA256 3185075821bb1f76cdc584c28f690a7338f8db5489d5fce73fe4bcbbfd3dfbfa
-AUX sshd.pam_include.2 156 RMD160 c4f6ba6e3a705eef63e571189e28de71e7d61178 SHA1 1223f7a43a5e124521d48852b2d23bb8ba0a788f SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c
-AUX sshd.rc6 2123 RMD160 e1f655ae93bfed5dfe9ecc49a6adbe860e2f6364 SHA1 2c3117ff61d28d1d9f52ef0d8348c9cfc5b8d55d SHA256 b86a728768a1ce2d47cc5fef01627cb53da6ebb79d827ad4616ae6eb8c0f00f1
-DIST openssh-5.0p1-gsskex-20080404.patch 68272 RMD160 7adfadf11f0fbc8fb5f71848d6fb8c4231e4ebc4 SHA1 41dfe293b3a3c08163cd43926fefabd321f0c37f SHA256 8f8b9910af767ce8e2a5d4854e95c8eb8b089bb250b290d22add38e9ddb1791e
-DIST openssh-5.2p1+x509-6.2.diff.gz 153010 RMD160 a4d7675edc87ee34d4fbc912ca03830936abee5e SHA1 cb5508827185412295b997705711f9f7697ace4e SHA256 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34
-DIST openssh-5.2p1.tar.gz 1016612 RMD160 7c53f342034b16e9faa9f5a09ef46390420722eb SHA1 8273a0237db98179fbdc412207ff8eb14ff3d6de SHA256 4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae
-DIST openssh-5.2pkcs11-0.26.tar.bz2 18642 RMD160 07093fb2ad47247b2f028fae4fe1b80edf4ddaf8 SHA1 755793398e1b04ee6c15458a69ce4ad68d2abee0 SHA256 9655f118c614f76cfdd3164b5c0e3e430f20a4ce16c65df0dc1b594648cf1c07
-DIST openssh-lpk-5.2p1-0.3.11.patch.gz 18116 RMD160 2ff9bdff19e0854a96063be1e0589fa3f85da0d7 SHA1 33b36cf94f68a80fca497da110529ce69d62fbb0 SHA256 450b56a989767aa65a974213e8f7e9d0ee9d08522247db7b787730e53685bebd
-EBUILD openssh-5.2_p1-r1.ebuild 7024 RMD160 59a191d64bed42fd43af2aab54680bf87dd5db3f SHA1 e46bcd44b689971c599b7a5a8310aeb7edf53151 SHA256 ca385089dd54edcf68687efbd5ce535af6be7bb395e684be06ee55dac152d841
diff --git a/net-misc/openssh/files/openssh-4.4_p1-ldap-hpn-glue.patch b/net-misc/openssh/files/openssh-4.4_p1-ldap-hpn-glue.patch
deleted file mode 100644
index 20e796b5..00000000
--- a/net-misc/openssh/files/openssh-4.4_p1-ldap-hpn-glue.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-allow ldap and hpn patches to play nice
-
---- servconf.c
-+++ servconf.c
-@@ -116,24 +116,6 @@
- options->num_allow_groups = 0;
- options->num_deny_groups = 0;
- options->ciphers = NULL;
-- options->macs = NULL;
-- options->protocol = SSH_PROTO_UNKNOWN;
-- options->gateway_ports = -1;
-- options->num_subsystems = 0;
-- options->max_startups_begin = -1;
-- options->max_startups_rate = -1;
-- options->max_startups = -1;
-- options->max_authtries = -1;
-- options->banner = NULL;
-- options->use_dns = -1;
-- options->client_alive_interval = -1;
-- options->client_alive_count_max = -1;
-- options->authorized_keys_file = NULL;
-- options->authorized_keys_file2 = NULL;
-- options->num_accept_env = 0;
-- options->permit_tun = -1;
-- options->num_permitted_opens = -1;
-- options->adm_forced_command = NULL;
- #ifdef WITH_LDAP_PUBKEY
- /* XXX dirty */
- options->lpk.ld = NULL;
-@@ -152,6 +134,24 @@
- options->lpk.flags = FLAG_EMPTY;
- #endif
-
-+ options->macs = NULL;
-+ options->protocol = SSH_PROTO_UNKNOWN;
-+ options->gateway_ports = -1;
-+ options->num_subsystems = 0;
-+ options->max_startups_begin = -1;
-+ options->max_startups_rate = -1;
-+ options->max_startups = -1;
-+ options->max_authtries = -1;
-+ options->banner = NULL;
-+ options->use_dns = -1;
-+ options->client_alive_interval = -1;
-+ options->client_alive_count_max = -1;
-+ options->authorized_keys_file = NULL;
-+ options->authorized_keys_file2 = NULL;
-+ options->num_accept_env = 0;
-+ options->permit_tun = -1;
-+ options->num_permitted_opens = -1;
-+ options->adm_forced_command = NULL;
- }
-
- void
diff --git a/net-misc/openssh/files/openssh-4.5_p1-padlock.diff b/net-misc/openssh/files/openssh-4.5_p1-padlock.diff
deleted file mode 100644
index 6c56bd87..00000000
--- a/net-misc/openssh/files/openssh-4.5_p1-padlock.diff
+++ /dev/null
@@ -1,35 +0,0 @@
---- openssh-4.5_p1.ebuild 2007-01-08 21:06:30.000000000 +0100
-+++ openssh-4.5_p1-padlock.ebuild 2007-01-20 19:52:40.000000000 +0100
-@@ -15,6 +15,7 @@
- SECURID_PATCH="${PARCH/4.5/4.4}+SecurID_v1.3.2.patch"
- LDAP_PATCH="${PARCH/-4.5p1/-lpk-4.4p1}-0.3.7.patch"
- HPN_PATCH="${PARCH}-hpn12v14.diff.gz"
-+PADLOCK_PATCH="openssh-4.5p1-engines.diff"
-
- DESCRIPTION="Port of OpenBSD's free SSH release"
- HOMEPAGE="http://www.openssh.com/"
-@@ -22,12 +23,13 @@
- X509? ( http://roumenpetrov.info/openssh/x509-5.5.2/${X509_PATCH} )
- ldap? ( http://dev.inversepath.com/openssh-lpk/${LDAP_PATCH} )
- hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )
-- smartcard? ( http://omniti.com/~jesus/projects/${SECURID_PATCH} )"
-+ smartcard? ( http://omniti.com/~jesus/projects/${SECURID_PATCH} )
-+ padlock? ( http://www.logix.cz/michal/devel/padlock/contrib/${PADLOCK_PATCH} )"
-
- LICENSE="as-is"
- SLOT="0"
- KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
--IUSE="static pam tcpd kerberos skey selinux chroot X509 ldap smartcard hpn libedit X"
-+IUSE="static pam tcpd kerberos skey selinux chroot X509 ldap smartcard hpn libedit X padlock"
-
- RDEPEND="pam? ( virtual/pam )
- kerberos? ( virtual/krb5 )
-@@ -75,6 +77,8 @@
- use X509 && epatch "${DISTDIR}"/${X509_PATCH} "${FILESDIR}"/${PN}-4.4_p1-x509-hpn-glue.patch
- use chroot && epatch "${FILESDIR}"/openssh-4.3_p1-chroot.patch
- use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch
-+ use padlock && epatch "${DISTDIR}"/${PADLOCK_PATCH}
-+
- if ! use X509 ; then
- if [[ -n ${SECURID_PATCH} ]] && use smartcard ; then
- epatch "${DISTDIR}"/${SECURID_PATCH} \
diff --git a/net-misc/openssh/files/openssh-4.7_p1-CVE-2008-1483.patch b/net-misc/openssh/files/openssh-4.7_p1-CVE-2008-1483.patch
deleted file mode 100644
index 8282bf1d..00000000
--- a/net-misc/openssh/files/openssh-4.7_p1-CVE-2008-1483.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Ripped from Fedora for CVE-2008-1483
-
-http://bugs.gentoo.org/214985
-
---- openssh-3.9p1/channels.c
-+++ openssh-3.9p1/channels.c
-@@ -2653,9 +2653,6 @@
- debug2("bind port %d: %.100s", port, strerror(errno));
- close(sock);
-
-- if (ai->ai_next)
-- continue;
--
- for (n = 0; n < num_socks; n++) {
- close(socks[n]);
- }
diff --git a/net-misc/openssh/files/openssh-4.7_p1-ForceCommand.patch b/net-misc/openssh/files/openssh-4.7_p1-ForceCommand.patch
deleted file mode 100644
index 93072236..00000000
--- a/net-misc/openssh/files/openssh-4.7_p1-ForceCommand.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-security fix
-
-http://bugs.gentoo.org/215702
-ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/001_openssh.patch
-
-Index: usr.bin/ssh/session.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/session.c,v
-retrieving revision 1.230
-diff -u -r1.230 session.c
---- usr.bin/ssh/session.c 22 Feb 2008 05:58:56 -0000 1.230
-+++ usr.bin/ssh/session.c 27 Mar 2008 10:54:55 -0000
-@@ -878,8 +878,9 @@
- do_xauth =
- s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
-
-- /* ignore _PATH_SSH_USER_RC for subsystems */
-- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
-+ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
-+ if (!s->is_subsystem && options.adm_forced_command == NULL &&
-+ (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
- snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
- shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
- if (debug_flag)
diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
deleted file mode 100644
index c81ae5cb..00000000
--- a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
-Index: readconf.c
-===================================================================
-RCS file: /cvs/openssh/readconf.c,v
-retrieving revision 1.135
-diff -u -r1.135 readconf.c
---- readconf.c 5 Aug 2006 02:39:40 -0000 1.135
-+++ readconf.c 19 Aug 2006 11:59:52 -0000
-@@ -126,6 +126,7 @@
- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oGssTrustDns,
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-@@ -163,9 +164,11 @@
- #if defined(GSSAPI)
- { "gssapiauthentication", oGssAuthentication },
- { "gssapidelegatecredentials", oGssDelegateCreds },
-+ { "gssapitrustdns", oGssTrustDns },
- #else
- { "gssapiauthentication", oUnsupported },
- { "gssapidelegatecredentials", oUnsupported },
-+ { "gssapitrustdns", oUnsupported },
- #endif
- { "fallbacktorsh", oDeprecated },
- { "usersh", oDeprecated },
-@@ -444,6 +447,10 @@
- intptr = &options->gss_deleg_creds;
- goto parse_flag;
-
-+ case oGssTrustDns:
-+ intptr = &options->gss_trust_dns;
-+ goto parse_flag;
-+
- case oBatchMode:
- intptr = &options->batch_mode;
- goto parse_flag;
-@@ -1010,6 +1017,7 @@
- options->challenge_response_authentication = -1;
- options->gss_authentication = -1;
- options->gss_deleg_creds = -1;
-+ options->gss_trust_dns = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->kbd_interactive_devices = NULL;
-@@ -1100,6 +1108,8 @@
- options->gss_authentication = 0;
- if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
-+ if (options->gss_trust_dns == -1)
-+ options->gss_trust_dns = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
-Index: readconf.h
-===================================================================
-RCS file: /cvs/openssh/readconf.h,v
-retrieving revision 1.63
-diff -u -r1.63 readconf.h
---- readconf.h 5 Aug 2006 02:39:40 -0000 1.63
-+++ readconf.h 19 Aug 2006 11:59:52 -0000
-@@ -45,6 +45,7 @@
- /* Try S/Key or TIS, authentication. */
- int gss_authentication; /* Try GSS authentication */
- int gss_deleg_creds; /* Delegate GSS credentials */
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
- int password_authentication; /* Try password
- * authentication. */
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-Index: ssh_config.5
-===================================================================
-RCS file: /cvs/openssh/ssh_config.5,v
-retrieving revision 1.97
-diff -u -r1.97 ssh_config.5
---- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97
-+++ ssh_config.5 19 Aug 2006 11:59:53 -0000
-@@ -483,7 +483,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Dq no .
--Note that this option applies to protocol version 2 only.
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-Index: sshconnect2.c
-===================================================================
-RCS file: /cvs/openssh/sshconnect2.c,v
-retrieving revision 1.151
-diff -u -r1.151 sshconnect2.c
---- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151
-+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000
-@@ -499,6 +499,12 @@
- static u_int mech = 0;
- OM_uint32 min;
- int ok = 0;
-+ const char *gss_host;
-+
-+ if (options.gss_trust_dns)
-+ gss_host = get_canonical_hostname(1);
-+ else
-+ gss_host = authctxt->host;
-
- /* Try one GSSAPI method at a time, rather than sending them all at
- * once. */
-@@ -511,7 +517,7 @@
- /* My DER encoding requires length<128 */
- if (gss_supported->elements[mech].length < 128 &&
- ssh_gssapi_check_mechanism(&gssctxt,
-- &gss_supported->elements[mech], authctxt->host)) {
-+ &gss_supported->elements[mech], gss_host)) {
- ok = 1; /* Mechanism works */
- } else {
- mech++;
diff --git a/net-misc/openssh/files/openssh-4.7_p1-engines.patch b/net-misc/openssh/files/openssh-4.7_p1-engines.patch
deleted file mode 100644
index 6da355e4..00000000
--- a/net-misc/openssh/files/openssh-4.7_p1-engines.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-diff -urN openssh-4.7p1.orig/ssh-add.c openssh-4.7p1/ssh-add.c
---- openssh-4.7p1.orig/ssh-add.c 2006-09-01 07:38:37.000000000 +0200
-+++ openssh-4.7p1/ssh-add.c 2007-05-19 02:52:09.000000000 +0200
-@@ -42,6 +42,7 @@
- #include <sys/param.h>
-
- #include <openssl/evp.h>
-+#include <openssl/engine.h>
-
- #include <fcntl.h>
- #include <pwd.h>
-@@ -343,6 +344,11 @@
-
- SSLeay_add_all_algorithms();
-
-+ /* Init available hardware crypto engines. */
-+ ENGINE_load_builtin_engines();
-+ ENGINE_register_all_complete();
-+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock"));
-+
- /* At first, get a connection to the authentication agent. */
- ac = ssh_get_authentication_connection();
- if (ac == NULL) {
-diff -urN openssh-4.7p1.orig/ssh-agent.c openssh-4.7p1/ssh-agent.c
---- openssh-4.7p1.orig/ssh-agent.c 2007-02-28 11:19:58.000000000 +0100
-+++ openssh-4.7p1/ssh-agent.c 2007-05-19 02:52:09.000000000 +0200
-@@ -51,6 +51,7 @@
-
- #include <openssl/evp.h>
- #include <openssl/md5.h>
-+#include <openssl/engine.h>
-
- #include <errno.h>
- #include <fcntl.h>
-@@ -1043,6 +1044,11 @@
-
- SSLeay_add_all_algorithms();
-
-+ /* Init available hardware crypto engines. */
-+ ENGINE_load_builtin_engines();
-+ ENGINE_register_all_complete();
-+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock"));
-+
- __progname = ssh_get_progname(av[0]);
- init_rng();
- seed_rng();
-diff -urN openssh-4.7p1.orig/ssh-keygen.c openssh-4.7p1/ssh-keygen.c
---- openssh-4.7p1.orig/ssh-keygen.c 2007-02-19 12:10:25.000000000 +0100
-+++ openssh-4.7p1/ssh-keygen.c 2007-05-19 02:52:09.000000000 +0200
-@@ -21,6 +21,7 @@
-
- #include <openssl/evp.h>
- #include <openssl/pem.h>
-+#include <openssl/engine.h>
-
- #include <errno.h>
- #include <fcntl.h>
-@@ -1073,6 +1074,12 @@
- __progname = ssh_get_progname(argv[0]);
-
- SSLeay_add_all_algorithms();
-+
-+ /* Init available hardware crypto engines. */
-+ ENGINE_load_builtin_engines();
-+ ENGINE_register_all_complete();
-+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock"));
-+
- log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
-
- init_rng();
-diff -urN openssh-4.7p1.orig/ssh-keysign.c openssh-4.7p1/ssh-keysign.c
---- openssh-4.7p1.orig/ssh-keysign.c 2006-09-01 07:38:37.000000000 +0200
-+++ openssh-4.7p1/ssh-keysign.c 2007-05-19 02:52:09.000000000 +0200
-@@ -38,6 +38,7 @@
- #include <openssl/evp.h>
- #include <openssl/rand.h>
- #include <openssl/rsa.h>
-+#include <openssl/engine.h>
-
- #include "xmalloc.h"
- #include "log.h"
-@@ -195,6 +196,12 @@
- fatal("could not open any host key");
-
- SSLeay_add_all_algorithms();
-+
-+ /* Init available hardware crypto engines. */
-+ ENGINE_load_builtin_engines();
-+ ENGINE_register_all_complete();
-+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock"));
-+
- for (i = 0; i < 256; i++)
- rnd[i] = arc4random();
- RAND_seed(rnd, sizeof(rnd));
-diff -urN openssh-4.7p1.orig/ssh.c openssh-4.7p1/ssh.c
---- openssh-4.7p1.orig/ssh.c 2007-01-05 06:30:17.000000000 +0100
-+++ openssh-4.7p1/ssh.c 2007-05-19 02:52:09.000000000 +0200
-@@ -72,6 +72,7 @@
-
- #include <openssl/evp.h>
- #include <openssl/err.h>
-+#include <openssl/engine.h>
-
- #include "xmalloc.h"
- #include "ssh.h"
-@@ -556,6 +557,11 @@
- SSLeay_add_all_algorithms();
- ERR_load_crypto_strings();
-
-+ /* Init available hardware crypto engines. */
-+ ENGINE_load_builtin_engines();
-+ ENGINE_register_all_complete();
-+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock"));
-+
- /* Initialize the command to execute on remote host. */
- buffer_init(&command);
-
-diff -urN openssh-4.7p1.orig/sshd.c openssh-4.7p1/sshd.c
---- openssh-4.7p1.orig/sshd.c 2007-02-25 10:37:22.000000000 +0100
-+++ openssh-4.7p1/sshd.c 2007-05-19 02:52:09.000000000 +0200
-@@ -75,6 +75,7 @@
- #include <openssl/bn.h>
- #include <openssl/md5.h>
- #include <openssl/rand.h>
-+#include <openssl/engine.h>
- #ifdef HAVE_SECUREWARE
- #include <sys/security.h>
- #include <prot.h>
-@@ -1027,6 +1028,11 @@
- for (i = 0; i < options.max_startups; i++)
- startup_pipes[i] = -1;
-
-+ /* Init available hardware crypto engines. */
-+ ENGINE_load_builtin_engines();
-+ ENGINE_register_all_complete();
-+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock"));
-+
- /*
- * Stay listening for connections until the system crashes or
- * the daemon is killed with a signal.
diff --git a/net-misc/openssh/files/openssh-4.7_p1-lpk-64bit.patch b/net-misc/openssh/files/openssh-4.7_p1-lpk-64bit.patch
deleted file mode 100644
index 836073f4..00000000
--- a/net-misc/openssh/files/openssh-4.7_p1-lpk-64bit.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-http://bugs.gentoo.org/210110
-
---- servconf.c
-+++ servconf.c
-@@ -690,6 +690,7 @@
- {
- char *cp, **charptr, *arg, *p;
- int cmdline = 0, *intptr, value, n;
-+ unsigned long lvalue, *longptr;
- ServerOpCodes opcode;
- u_short port;
- u_int i, flags = 0;
-@@ -704,6 +705,7 @@
- if (!arg || !*arg || *arg == '#')
- return 0;
- intptr = NULL;
-+ longptr = NULL;
- charptr = NULL;
- opcode = parse_token(arg, filename, linenum, &flags);
-
-@@ -1421,11 +1423,20 @@
- *intptr = value;
- break;
- case sBindTimeout:
-- intptr = (int *) &options->lpk.b_timeout.tv_sec;
-- goto parse_int;
-+ longptr = (unsigned long *) &options->lpk.b_timeout.tv_sec;
-+parse_ulong:
-+ arg = strdelim(&cp);
-+ if (!arg || *arg == '\0')
-+ fatal("%s line %d: missing integer value.",
-+ filename, linenum);
-+ lvalue = atol(arg);
-+ if (*activep && *longptr == -1)
-+ *longptr = lvalue;
-+ break;
-+
- case sSearchTimeout:
-- intptr = (int *) &options->lpk.s_timeout.tv_sec;
-- goto parse_int;
-+ longptr = (unsigned long *) &options->lpk.s_timeout.tv_sec;
-+ goto parse_ulong;
- break;
- case sLdapConf:
- arg = cp;
diff --git a/net-misc/openssh/files/openssh-4.7_p1-packet-size.patch b/net-misc/openssh/files/openssh-4.7_p1-packet-size.patch
deleted file mode 100644
index 85023b4a..00000000
--- a/net-misc/openssh/files/openssh-4.7_p1-packet-size.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Fix from upstream
-
-http://bugs.gentoo.org/212433
-https://bugzilla.mindrot.org/show_bug.cgi?id=1360
-
-Index: clientloop.c
-===================================================================
-RCS file: /usr/local/src/security/openssh/cvs/openssh/clientloop.c,v
-retrieving revision 1.170
-diff -u -p -r1.170 clientloop.c
---- clientloop.c 28 Dec 2007 15:45:07 -0000 1.170
-+++ clientloop.c 28 Dec 2007 18:14:10 -0000
-@@ -1745,7 +1745,7 @@ client_request_forwarded_tcpip(const cha
- }
- c = channel_new("forwarded-tcpip",
- SSH_CHANNEL_CONNECTING, sock, sock, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
- originator_address, 1);
- xfree(originator_address);
- xfree(listen_address);
-@@ -1803,7 +1803,7 @@ client_request_agent(const char *request
- return NULL;
- c = channel_new("authentication agent connection",
- SSH_CHANNEL_OPEN, sock, sock, -1,
-- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
- "authentication agent connection", 1);
- c->force_drain = 1;
- return c;
diff --git a/net-misc/openssh/files/openssh-4.7p1-selinux.diff b/net-misc/openssh/files/openssh-4.7p1-selinux.diff
deleted file mode 100644
index f1c5c872..00000000
--- a/net-misc/openssh/files/openssh-4.7p1-selinux.diff
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -purN openssh-4.7p1.orig/configure.ac openssh-4.7p1/configure.ac
---- openssh-4.7p1.orig/configure.ac 2007-08-10 00:36:12.000000000 -0400
-+++ openssh-4.7p1/configure.ac 2008-03-31 19:38:54.548935620 -0400
-@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux,
- AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
- AC_MSG_ERROR(SELinux support requires libselinux library))
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
-+ LIBS="$LIBS $LIBSELINUX"
- AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
- LIBS="$save_LIBS"
- fi ]
diff --git a/net-misc/openssh/files/openssh-5.2_p1-BJA-ldap-stdargs.diff b/net-misc/openssh/files/openssh-5.2_p1-BJA-ldap-stdargs.diff
deleted file mode 100644
index edac277a..00000000
--- a/net-misc/openssh/files/openssh-5.2_p1-BJA-ldap-stdargs.diff
+++ /dev/null
@@ -1,10 +0,0 @@
---- ldapauth.c.ori 2009-04-18 18:06:38.000000000 +0200
-+++ ldapauth.c 2009-04-18 18:06:11.000000000 +0200
-@@ -31,6 +31,7 @@
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
-+#include <stdarg.h>
-
- #include "ldapauth.h"
- #include "log.h"
diff --git a/net-misc/openssh/files/openssh_4.7p1-blacklist.patch b/net-misc/openssh/files/openssh_4.7p1-blacklist.patch
deleted file mode 100644
index d4df4b1a..00000000
--- a/net-misc/openssh/files/openssh_4.7p1-blacklist.patch
+++ /dev/null
@@ -1,969 +0,0 @@
-openssh (1:4.7p1-9) unstable; urgency=critical
-
- * Mitigate OpenSSL security vulnerability (CVE-2008-0166):
- - Add key blacklisting support. Keys listed in
- /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
- sshd, unless "PermitBlacklistedKeys yes" is set in
- /etc/ssh/sshd_config.
- - Add a new program, ssh-vulnkey, which can be used to check keys
- against these blacklists.
-
- -- Colin Watson <cjwatson@debian.org> Tue, 13 May 2008 12:33:38 +0100
-
-Index: openssh-4.7p1/sshd_config.5
-===================================================================
---- openssh-4.7p1.orig/sshd_config.5
-+++ openssh-4.7p1/sshd_config.5
-@@ -677,6 +677,20 @@ are refused if the number of unauthentic
- Specifies whether password authentication is allowed.
- The default is
- .Dq yes .
-+.It Cm PermitBlacklistedKeys
-+Specifies whether
-+.Xr sshd 8
-+should allow keys recorded in its blacklist of known-compromised keys (see
-+.Xr ssh-vulnkey 1 ) .
-+If
-+.Dq yes ,
-+then attempts to authenticate with compromised keys will be logged but
-+accepted.
-+If
-+.Dq no ,
-+then attempts to authenticate with compromised keys will be rejected.
-+The default is
-+.Dq no .
- .It Cm PermitEmptyPasswords
- When password authentication is allowed, it specifies whether the
- server allows login to accounts with empty password strings.
-Index: openssh-4.7p1/sshd.c
-===================================================================
---- openssh-4.7p1.orig/sshd.c
-+++ openssh-4.7p1/sshd.c
-@@ -1469,6 +1469,21 @@ main(int ac, char **av)
-
- for (i = 0; i < options.num_host_key_files; i++) {
- key = key_load_private(options.host_key_files[i], "", NULL);
-+ if (key && blacklisted_key(key)) {
-+ char *fp;
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ error("Host key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ error("Host key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ xfree(fp);
-+ if (!options.permit_blacklisted_keys) {
-+ sensitive_data.host_keys[i] = NULL;
-+ continue;
-+ }
-+ }
- sensitive_data.host_keys[i] = key;
- if (key == NULL) {
- error("Could not load host key: %s",
-Index: openssh-4.7p1/servconf.c
-===================================================================
---- openssh-4.7p1.orig/servconf.c
-+++ openssh-4.7p1/servconf.c
-@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->challenge_response_authentication = -1;
-+ options->permit_blacklisted_keys = -1;
- options->permit_empty_passwd = -1;
- options->permit_user_env = -1;
- options->use_login = -1;
-@@ -248,6 +249,8 @@ fill_default_server_options(ServerOption
- options->kbd_interactive_authentication = 0;
- if (options->challenge_response_authentication == -1)
- options->challenge_response_authentication = 1;
-+ if (options->permit_blacklisted_keys == -1)
-+ options->permit_blacklisted_keys = 0;
- if (options->permit_empty_passwd == -1)
- options->permit_empty_passwd = 0;
- if (options->permit_user_env == -1)
-@@ -349,7 +352,7 @@ typedef enum {
- sListenAddress, sAddressFamily,
- sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
-- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
-+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
- sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
- sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
- sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -439,6 +442,7 @@ static struct {
- { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
- { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
- { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
-+ { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
- { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
- { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
- { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1003,6 +1007,10 @@ parse_flag:
- intptr = &options->tcp_keep_alive;
- goto parse_flag;
-
-+ case sPermitBlacklistedKeys:
-+ intptr = &options->permit_blacklisted_keys;
-+ goto parse_flag;
-+
- case sEmptyPasswd:
- intptr = &options->permit_empty_passwd;
- goto parse_flag;
-Index: openssh-4.7p1/servconf.h
-===================================================================
---- openssh-4.7p1.orig/servconf.h
-+++ openssh-4.7p1/servconf.h
-@@ -117,6 +117,7 @@ typedef struct {
- * authentication. */
- int kbd_interactive_authentication; /* If true, permit */
- int challenge_response_authentication;
-+ int permit_blacklisted_keys; /* If true, permit */
- int permit_empty_passwd; /* If false, do not permit empty
- * passwords. */
- int permit_user_env; /* If true, read ~/.ssh/environment */
-Index: openssh-4.7p1/Makefile.in
-===================================================================
---- openssh-4.7p1.orig/Makefile.in
-+++ openssh-4.7p1/Makefile.in
-@@ -73,7 +73,7 @@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAN
- SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o
- X509STORE_OBJS=x509store.o $(LDAP_OBJS) $(OCSP_OBJS)
-
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
-
- LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-@@ -101,8 +101,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
- loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- audit.o audit-bsm.o platform.o $(X509STORE_OBJS)
-
--MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
--MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
-+MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
-+MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
- MANTYPE = @MANTYPE@
-
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -182,6 +182,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sft
- ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
- $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-+ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o
-+ $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+
- # test driver for the loginrec code - not built by default
- logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
- $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -284,6 +287,7 @@ install-files: scard-install
- $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
-+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
- $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
- $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -299,6 +303,7 @@ install-files: scard-install
- $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
- $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
- $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-+ $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
- -rm -f $(DESTDIR)$(bindir)/slogin
- ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -380,6 +385,7 @@ uninstall:
- -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
- -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
- -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-+ -rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
- -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -392,6 +398,7 @@ uninstall:
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-Index: openssh-4.7p1/auth-rh-rsa.c
-===================================================================
---- openssh-4.7p1.orig/auth-rh-rsa.c
-+++ openssh-4.7p1/auth-rh-rsa.c
-@@ -20,6 +20,7 @@
- #include <pwd.h>
- #include <stdarg.h>
-
-+#include "xmalloc.h"
- #include "packet.h"
- #include "uidswap.h"
- #include "log.h"
-@@ -27,6 +28,7 @@
- #include "servconf.h"
- #include "key.h"
- #include "hostfile.h"
-+#include "authfile.h"
- #include "pathnames.h"
- #include "auth.h"
- #include "canohost.h"
-@@ -42,8 +44,22 @@ int
- auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
- Key *client_host_key)
- {
-+ char *fp;
- HostStatus host_status;
-
-+ if (blacklisted_key(client_host_key)) {
-+ fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ xfree(fp);
-+ if (!options.permit_blacklisted_keys)
-+ return 0;
-+ }
-+
- /* Check if we would accept it using rhosts authentication. */
- if (!auth_rhosts(pw, cuser))
- return 0;
-Index: openssh-4.7p1/authfile.h
-===================================================================
---- openssh-4.7p1.orig/authfile.h
-+++ openssh-4.7p1/authfile.h
-@@ -23,4 +23,7 @@ Key *key_load_private_type(int, const ch
- Key *key_load_private_pem(int, int, const char *, char **);
- int key_perm_ok(int, const char *);
-
-+char *blacklist_filename(const Key *key);
-+int blacklisted_key(const Key *key);
-+
- #endif
-Index: openssh-4.7p1/ssh-vulnkey.1
-===================================================================
---- /dev/null
-+++ openssh-4.7p1/ssh-vulnkey.1
-@@ -0,0 +1,151 @@
-+.\" Copyright (c) 2008 Canonical Ltd. All rights reserved.
-+.\"
-+.\" Redistribution and use in source and binary forms, with or without
-+.\" modification, are permitted provided that the following conditions
-+.\" are met:
-+.\" 1. Redistributions of source code must retain the above copyright
-+.\" notice, this list of conditions and the following disclaimer.
-+.\" 2. Redistributions in binary form must reproduce the above copyright
-+.\" notice, this list of conditions and the following disclaimer in the
-+.\" documentation and/or other materials provided with the distribution.
-+.\"
-+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+.\"
-+.Dd $Mdocdate: May 12 2008 $
-+.Dt SSH-VULNKEY 1
-+.Os
-+.Sh NAME
-+.Nm ssh-vulnkey
-+.Nd check blacklist of compromised keys
-+.Sh SYNOPSIS
-+.Nm
-+.Op Fl q
-+.Ar file ...
-+.Nm
-+.Fl a
-+.Sh DESCRIPTION
-+.Nm
-+checks a key against a blacklist of compromised keys.
-+.Pp
-+A substantial number of keys are known to have been generated using a broken
-+version of OpenSSL distributed by Debian which failed to seed its random
-+number generator correctly.
-+Keys generated using these OpenSSL versions should be assumed to be
-+compromised.
-+This tool may be useful in checking for such keys.
-+.Pp
-+Keys that are compromised cannot be repaired; replacements must be generated
-+using
-+.Xr ssh-keygen 1 .
-+Make sure to update
-+.Pa authorized_keys
-+files on all systems where compromised keys were permitted to authenticate.
-+.Pp
-+The argument list will be interpreted as a list of paths to public key files
-+or
-+.Pa authorized_keys
-+files.
-+If no suitable file is found at a given path,
-+.Nm
-+will append
-+.Pa .pub
-+and retry, in case it was given a private key file.
-+If no files are given as arguments,
-+.Nm
-+will check
-+.Pa ~/.ssh/id_rsa ,
-+.Pa ~/.ssh/id_dsa ,
-+.Pa ~/.ssh/identity ,
-+.Pa ~/.ssh/authorized_keys
-+and
-+.Pa ~/.ssh/authorized_keys2 ,
-+as well as the system's host keys if readable.
-+.Pp
-+If
-+.Dq -
-+is given as an argument,
-+.Nm
-+will read from standard input.
-+This can be used to process output from
-+.Xr ssh-keyscan 1 ,
-+for example:
-+.Pp
-+.Dl $ ssh-keyscan -t rsa remote.example.org | ssh-vulnkey -
-+.Pp
-+.Nm
-+will exit zero if any of the given keys were in the compromised list,
-+otherwise non-zero.
-+.Pp
-+Unless the
-+.Cm PermitBlacklistedKeys
-+option is used,
-+.Xr sshd 8
-+will reject attempts to authenticate with keys in the compromised list.
-+.Pp
-+The options are as follows:
-+.Bl -tag -width Ds
-+.It Fl a
-+Check keys of all users on the system.
-+You will typically need to run
-+.Nm
-+as root to use this option.
-+For each user,
-+.Nm
-+will check
-+.Pa ~/.ssh/id_rsa ,
-+.Pa ~/.ssh/id_dsa ,
-+.Pa ~/.ssh/identity ,
-+.Pa ~/.ssh/authorized_keys
-+and
-+.Pa ~/.ssh/authorized_keys2 .
-+It will also check the system's host keys.
-+.It Fl q
-+Quiet mode.
-+Normally,
-+.Nm
-+outputs the fingerprint of each key scanned, with a description of its
-+status.
-+This option suppresses that output.
-+.El
-+.Sh BLACKLIST FILE FORMAT
-+The blacklist file may start with comments, on lines starting with
-+.Dq # .
-+After these initial comments, it must follow a strict format:
-+.Pp
-+.Bl -bullet -offset indent -compact
-+.It
-+All the lines must be exactly the same length (20 characters followed by a
-+newline) and must be in sorted order.
-+.It
-+Each line must consist of the lower-case hexadecimal MD5 key fingerprint,
-+without colons, and with the first 12 characters removed (that is, the least
-+significant 80 bits of the fingerprint).
-+.El
-+.Pp
-+The key fingerprint may be generated using
-+.Xr ssh-keygen 1 :
-+.Pp
-+.Dl $ ssh-keygen -l -f /path/to/key
-+.Pp
-+This strict format is necessary to allow the blacklist file to be checked
-+quickly, using a binary-search algorithm.
-+.Sh SEE ALSO
-+.Xr ssh-keygen 1 ,
-+.Xr sshd 8
-+.Sh AUTHORS
-+.An -nosplit
-+.An Colin Watson Aq cjwatson@ubuntu.com
-+.Pp
-+Florian Weimer suggested the option to check keys of all users, and the idea
-+of processing
-+.Xr ssh-keyscan 1
-+output.
-Index: openssh-4.7p1/auth2-hostbased.c
-===================================================================
---- openssh-4.7p1.orig/auth2-hostbased.c
-+++ openssh-4.7p1/auth2-hostbased.c
-@@ -40,6 +40,7 @@
- #include "compat.h"
- #include "key.h"
- #include "hostfile.h"
-+#include "authfile.h"
- #include "auth.h"
- #include "canohost.h"
- #ifdef GSSAPI
-@@ -170,10 +171,24 @@ int
- hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
- Key *key)
- {
-+ char *fp;
- const char *resolvedname, *ipaddr, *lookup;
- HostStatus host_status;
- int len;
-
-+ if (blacklisted_key(key)) {
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ xfree(fp);
-+ if (!options.permit_blacklisted_keys)
-+ return 0;
-+ }
-+
- resolvedname = get_canonical_hostname(options.use_dns);
- ipaddr = get_remote_ipaddr();
-
-Index: openssh-4.7p1/authfile.c
-===================================================================
---- openssh-4.7p1.orig/authfile.c
-+++ openssh-4.7p1/authfile.c
-@@ -68,6 +68,7 @@
- #include "ssh-x509.h"
- #include "misc.h"
- #include "atomicio.h"
-+#include "pathnames.h"
-
- /* Version identification string for SSH v1 identity files. */
- static const char authfile_id_string[] =
-@@ -696,3 +697,113 @@ key_load_public(const char *filename, ch
- key_free(pub);
- return NULL;
- }
-+
-+char *
-+blacklist_filename(const Key *key)
-+{
-+ char *name;
-+
-+ xasprintf(&name, "%s.%s-%u",
-+ _PATH_BLACKLIST, key_type(key), key_size(key));
-+ return name;
-+}
-+
-+/* Scan a blacklist of known-vulnerable keys. */
-+int
-+blacklisted_key(const Key *key)
-+{
-+ char *blacklist_file;
-+ int fd = -1;
-+ char *dgst_hex = NULL;
-+ char *dgst_packed = NULL, *p;
-+ int i;
-+ size_t line_len;
-+ struct stat st;
-+ char buf[256];
-+ off_t start, lower, upper;
-+ int ret = 0;
-+
-+ blacklist_file = blacklist_filename(key);
-+ debug("Checking blacklist file %s", blacklist_file);
-+ fd = open(blacklist_file, O_RDONLY);
-+ if (fd < 0)
-+ goto out;
-+
-+ dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ /* Remove all colons */
-+ dgst_packed = xcalloc(1, strlen(dgst_hex) + 1);
-+ for (i = 0, p = dgst_packed; dgst_hex[i]; i++)
-+ if (dgst_hex[i] != ':')
-+ *p++ = dgst_hex[i];
-+ /* Only compare least-significant 80 bits (to keep the blacklist
-+ * size down)
-+ */
-+ line_len = strlen(dgst_packed + 12);
-+ if (line_len > 32)
-+ goto out;
-+
-+ /* Skip leading comments */
-+ start = 0;
-+ for (;;) {
-+ ssize_t r;
-+ char *newline;
-+
-+ r = atomicio(read, fd, buf, 256);
-+ if (r <= 0)
-+ goto out;
-+ if (buf[0] != '#')
-+ break;
-+
-+ newline = memchr(buf, '\n', 256);
-+ if (!newline)
-+ goto out;
-+ start += newline + 1 - buf;
-+ if (lseek(fd, start, SEEK_SET) < 0)
-+ goto out;
-+ }
-+
-+ /* Initialise binary search record numbers */
-+ if (fstat(fd, &st) < 0)
-+ goto out;
-+ lower = 0;
-+ upper = (st.st_size - start) / (line_len + 1);
-+
-+ while (lower != upper) {
-+ off_t cur;
-+ char buf[32];
-+ int cmp;
-+
-+ cur = lower + (upper - lower) / 2;
-+
-+ /* Read this line and compare to digest; this is
-+ * overflow-safe since cur < max(off_t) / (line_len + 1) */
-+ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
-+ break;
-+ if (atomicio(read, fd, buf, line_len) != line_len)
-+ break;
-+ cmp = memcmp(buf, dgst_packed + 12, line_len);
-+ if (cmp < 0) {
-+ if (cur == lower)
-+ break;
-+ lower = cur;
-+ } else if (cmp > 0) {
-+ if (cur == upper)
-+ break;
-+ upper = cur;
-+ } else {
-+ debug("Found %s in blacklist", dgst_hex);
-+ ret = 1;
-+ break;
-+ }
-+ }
-+
-+out:
-+ if (dgst_packed)
-+ xfree(dgst_packed);
-+ if (dgst_hex)
-+ xfree(dgst_hex);
-+ if (fd >= 0)
-+ close(fd);
-+ xfree(blacklist_file);
-+ return ret;
-+}
-Index: openssh-4.7p1/ssh-vulnkey.c
-===================================================================
---- /dev/null
-+++ openssh-4.7p1/ssh-vulnkey.c
-@@ -0,0 +1,311 @@
-+/*
-+ * Copyright (c) 2008 Canonical Ltd. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+
-+#include <string.h>
-+#include <stdio.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+
-+#include <openssl/evp.h>
-+
-+#include "xmalloc.h"
-+#include "ssh.h"
-+#include "log.h"
-+#include "key.h"
-+#include "authfile.h"
-+#include "pathnames.h"
-+#include "misc.h"
-+
-+extern char *__progname;
-+
-+/* Default files to check */
-+static char *default_host_files[] = {
-+ _PATH_HOST_RSA_KEY_FILE,
-+ _PATH_HOST_DSA_KEY_FILE,
-+ _PATH_HOST_KEY_FILE,
-+ NULL
-+};
-+static char *default_files[] = {
-+ _PATH_SSH_CLIENT_ID_RSA,
-+ _PATH_SSH_CLIENT_ID_DSA,
-+ _PATH_SSH_CLIENT_IDENTITY,
-+ _PATH_SSH_USER_PERMITTED_KEYS,
-+ _PATH_SSH_USER_PERMITTED_KEYS2,
-+ NULL
-+};
-+
-+static int quiet = 0;
-+
-+static void
-+usage(void)
-+{
-+ fprintf(stderr, "usage: %s [-aq] [file ...]\n", __progname);
-+ fprintf(stderr, "Options:\n");
-+ fprintf(stderr, " -a Check keys of all users.\n");
-+ fprintf(stderr, " -q Quiet mode.\n");
-+ exit(1);
-+}
-+
-+void
-+describe_key(const char *msg, const Key *key, const char *comment)
-+{
-+ char *fp;
-+
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (!quiet)
-+ printf("%s: %u %s %s\n", msg, key_size(key), fp, comment);
-+ xfree(fp);
-+}
-+
-+int
-+do_key(const Key *key, const char *comment)
-+{
-+ char *blacklist_file;
-+ struct stat st;
-+ int ret = 1;
-+
-+ blacklist_file = blacklist_filename(key);
-+ if (stat(blacklist_file, &st) < 0)
-+ describe_key("Unknown (no blacklist information)",
-+ key, comment);
-+ else if (blacklisted_key(key)) {
-+ describe_key("COMPROMISED", key, comment);
-+ ret = 0;
-+ } else
-+ describe_key("Not blacklisted", key, comment);
-+ xfree(blacklist_file);
-+
-+ return ret;
-+}
-+
-+int
-+do_filename(const char *filename, int quiet_open)
-+{
-+ FILE *f;
-+ char line[SSH_MAX_PUBKEY_BYTES];
-+ char *cp;
-+ u_long linenum = 0;
-+ Key *key;
-+ char *comment = NULL;
-+ int found = 0, ret = 1;
-+
-+ /* Copy much of key_load_public's logic here so that we can read
-+ * several keys from a single file (e.g. authorized_keys).
-+ */
-+
-+ if (strcmp(filename, "-") != 0) {
-+ f = fopen(filename, "r");
-+ if (!f) {
-+ char pubfile[MAXPATHLEN];
-+ if (strlcpy(pubfile, filename, sizeof pubfile) <
-+ sizeof(pubfile) &&
-+ strlcat(pubfile, ".pub", sizeof pubfile) <
-+ sizeof(pubfile))
-+ f = fopen(pubfile, "r");
-+ }
-+ if (!f) {
-+ if (!quiet_open)
-+ perror(filename);
-+ return -1;
-+ }
-+ } else
-+ f = stdin;
-+ while (read_keyfile_line(f, filename, line, sizeof(line),
-+ &linenum) != -1) {
-+ cp = line;
-+ switch (*cp) {
-+ case '#':
-+ case '\n':
-+ case '\0':
-+ continue;
-+ }
-+ /* Skip leading whitespace. */
-+ for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
-+ ;
-+ /* Cope with ssh-keyscan output. */
-+ comment = NULL;
-+ if (*cp) {
-+ char *space;
-+ int type;
-+
-+ space = strchr(cp, ' ');
-+ if (!space)
-+ continue;
-+ *space = '\0';
-+ type = key_type_from_name(cp);
-+ if (type == KEY_UNSPEC) {
-+ comment = xstrdup(cp);
-+ cp = space + 1;
-+ }
-+ *space = ' ';
-+ }
-+ if (!comment)
-+ comment = xstrdup(filename);
-+ if (*cp) {
-+ key = key_new(KEY_RSA1);
-+ if (key_read(key, &cp) == 1) {
-+ if (!do_key(key, comment))
-+ ret = 0;
-+ key_free(key);
-+ found = 1;
-+ } else {
-+ key_free(key);
-+ key = key_new(KEY_UNSPEC);
-+ if (key_read(key, &cp) == 1) {
-+ if (!do_key(key, comment))
-+ ret = 0;
-+ key_free(key);
-+ found = 1;
-+ }
-+ }
-+ }
-+ xfree(comment);
-+ comment = NULL;
-+ }
-+ if (f != stdin)
-+ fclose(f);
-+
-+ if (!found && filename) {
-+ key = key_load_public(filename, &comment);
-+ if (key) {
-+ if (!do_key(key, comment))
-+ ret = 0;
-+ found = 1;
-+ }
-+ if (comment)
-+ xfree(comment);
-+ }
-+
-+ return ret;
-+}
-+
-+int
-+do_host(void)
-+{
-+ int i;
-+ struct stat st;
-+ int ret = 1;
-+
-+ for (i = 0; default_host_files[i]; i++) {
-+ if (stat(default_host_files[i], &st) < 0)
-+ continue;
-+ if (!do_filename(default_host_files[i], 1))
-+ ret = 0;
-+ }
-+
-+ return ret;
-+}
-+
-+int
-+do_user(const char *dir)
-+{
-+ int i;
-+ char buf[MAXPATHLEN];
-+ struct stat st;
-+ int ret = 1;
-+
-+ for (i = 0; default_files[i]; i++) {
-+ snprintf(buf, sizeof(buf), "%s/%s", dir, default_files[i]);
-+ if (stat(buf, &st) < 0)
-+ continue;
-+ if (!do_filename(buf, 0))
-+ ret = 0;
-+ }
-+
-+ return ret;
-+}
-+
-+int
-+main(int argc, char **argv)
-+{
-+ int opt, all_users = 0;
-+ int ret = 1;
-+ extern int optind;
-+
-+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-+ sanitise_stdfd();
-+
-+ __progname = ssh_get_progname(argv[0]);
-+
-+ SSLeay_add_all_algorithms();
-+ log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
-+
-+ /* We don't need the RNG ourselves, but symbol references here allow
-+ * ld to link us properly.
-+ */
-+ init_rng();
-+ seed_rng();
-+
-+ while ((opt = getopt(argc, argv, "ahq")) != -1) {
-+ switch (opt) {
-+ case 'a':
-+ all_users = 1;
-+ break;
-+ case 'q':
-+ quiet = 1;
-+ break;
-+ case 'h':
-+ default:
-+ usage();
-+ }
-+ }
-+
-+ if (all_users) {
-+ struct passwd *pw;
-+
-+ if (!do_host())
-+ ret = 0;
-+
-+ while ((pw = getpwent()) != NULL) {
-+ if (pw->pw_dir) {
-+ if (!do_user(pw->pw_dir))
-+ ret = 0;
-+ }
-+ }
-+ } else if (optind == argc) {
-+ struct passwd *pw;
-+
-+ if (!do_host())
-+ ret = 0;
-+
-+ if ((pw = getpwuid(getuid())) == NULL)
-+ fprintf(stderr, "No user found with uid %u\n",
-+ (u_int)getuid());
-+ else {
-+ if (!do_user(pw->pw_dir))
-+ ret = 0;
-+ }
-+ } else {
-+ while (optind < argc)
-+ if (!do_filename(argv[optind++], 0))
-+ ret = 0;
-+ }
-+
-+ return ret;
-+}
-Index: openssh-4.7p1/auth-rsa.c
-===================================================================
---- openssh-4.7p1.orig/auth-rsa.c
-+++ openssh-4.7p1/auth-rsa.c
-@@ -40,6 +40,7 @@
- #include "servconf.h"
- #include "key.h"
- #include "hostfile.h"
-+#include "authfile.h"
- #include "auth.h"
- #ifdef GSSAPI
- #include "ssh-gss.h"
-@@ -221,6 +222,7 @@ auth_rsa_key_allowed(struct passwd *pw,
- char *cp;
- char *key_options;
- int keybits;
-+ char *fp;
-
- /* Skip leading whitespace, empty and comment lines. */
- for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -265,6 +267,19 @@ auth_rsa_key_allowed(struct passwd *pw,
- "actual %d vs. announced %d.",
- file, linenum, BN_num_bits(key->rsa->n), bits);
-
-+ if (blacklisted_key(key)) {
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ xfree(fp);
-+ if (!options.permit_blacklisted_keys)
-+ continue;
-+ }
-+
- /* We have found the desired key. */
- /*
- * If our options do not allow this key to be used,
-Index: openssh-4.7p1/pathnames.h
-===================================================================
---- openssh-4.7p1.orig/pathnames.h
-+++ openssh-4.7p1/pathnames.h
-@@ -66,6 +66,8 @@
- /* Backwards compatibility */
- #define _PATH_DH_PRIMES SSHDIR "/primes"
-
-+#define _PATH_BLACKLIST SSHDIR "/blacklist"
-+
- #ifndef _PATH_SSH_PROGRAM
- #define _PATH_SSH_PROGRAM "/usr/bin/ssh"
- #endif
-Index: openssh-4.7p1/auth2-pubkey.c
-===================================================================
---- openssh-4.7p1.orig/auth2-pubkey.c
-+++ openssh-4.7p1/auth2-pubkey.c
-@@ -47,6 +47,7 @@
- #include "compat.h"
- #include "key.h"
- #include "hostfile.h"
-+#include "authfile.h"
- #include "auth.h"
- #include "pathnames.h"
- #include "uidswap.h"
-@@ -411,9 +412,23 @@ user_key_allowed2(struct passwd *pw, Key
- int
- user_key_allowed(struct passwd *pw, Key *key)
- {
-+ char *fp;
- int success;
- char *file;
-
-+ if (blacklisted_key(key)) {
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ xfree(fp);
-+ if (!options.permit_blacklisted_keys)
-+ return 0;
-+ }
-+
- file = authorized_keys_file(pw);
- success = user_key_allowed2(pw, key, file);
- xfree(file);
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
deleted file mode 100644
index 28952b4a..00000000
--- a/net-misc/openssh/files/sshd.confd
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/conf.d/sshd: config file for /etc/init.d/sshd
-
-# Where is your sshd_config file stored?
-
-SSHD_CONFDIR="/etc/ssh"
-
-
-# Any random options you want to pass to sshd.
-# See the sshd(8) manpage for more info.
-
-SSHD_OPTS=""
-
-
-# Pid file to use (needs to be absolute path).
-
-#SSHD_PIDFILE="/var/run/sshd.pid"
-
-
-# Path to the sshd binary (needs to be absolute path).
-
-#SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.pam b/net-misc/openssh/files/sshd.pam
deleted file mode 100644
index 51149402..00000000
--- a/net-misc/openssh/files/sshd.pam
+++ /dev/null
@@ -1,9 +0,0 @@
-#%PAM-1.0
-
-auth required pam_stack.so service=system-auth
-auth required pam_shells.so
-auth required pam_nologin.so
-account required pam_stack.so service=system-auth
-password required pam_stack.so service=system-auth
-session required pam_stack.so service=system-auth
-
diff --git a/net-misc/openssh/files/sshd.pam_include b/net-misc/openssh/files/sshd.pam_include
deleted file mode 100644
index 14d9016a..00000000
--- a/net-misc/openssh/files/sshd.pam_include
+++ /dev/null
@@ -1,8 +0,0 @@
-#%PAM-1.0
-
-auth include system-auth
-auth required pam_shells.so
-auth required pam_nologin.so
-account include system-auth
-password include system-auth
-session include system-auth
diff --git a/net-misc/openssh/files/sshd.pam_include.1 b/net-misc/openssh/files/sshd.pam_include.1
deleted file mode 100644
index 567ba4ac..00000000
--- a/net-misc/openssh/files/sshd.pam_include.1
+++ /dev/null
@@ -1,8 +0,0 @@
-#%PAM-1.0
-
-auth required pam_shells.so
-auth required pam_nologin.so
-auth include system-auth
-account include system-auth
-password include system-auth
-session include system-auth
diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
deleted file mode 100644
index b801aaaf..00000000
--- a/net-misc/openssh/files/sshd.pam_include.2
+++ /dev/null
@@ -1,4 +0,0 @@
-auth include system-remote-login
-account include system-remote-login
-password include system-remote-login
-session include system-remote-login
diff --git a/net-misc/openssh/files/sshd.rc6 b/net-misc/openssh/files/sshd.rc6
deleted file mode 100644
index aeaf09c9..00000000
--- a/net-misc/openssh/files/sshd.rc6
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.24 2009/04/12 20:12:49 robbat2 Exp $
-
-opts="${opts} reload"
-
-depend() {
- use logger dns
- need net
-}
-
-SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
-SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
-SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
-
-checkconfig() {
- if [ ! -d /var/empty ] ; then
- mkdir -p /var/empty || return 1
- fi
-
- if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then
- eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
- eerror "There is a sample file in /usr/share/doc/openssh"
- return 1
- fi
-
- gen_keys || return 1
-
- "${SSHD_BINARY}" -t ${myopts} || return 1
-}
-
-gen_keys() {
- if [ ! -e "${SSHD_CONFDIR}"/ssh_host_key ] ; then
- einfo "Generating Hostkey..."
- /usr/bin/ssh-keygen -t rsa1 -b 1024 -f "${SSHD_CONFDIR}"/ssh_host_key -N '' || return 1
- fi
- if [ ! -e "${SSHD_CONFDIR}"/ssh_host_dsa_key ] ; then
- einfo "Generating DSA-Hostkey..."
- /usr/bin/ssh-keygen -d -f "${SSHD_CONFDIR}"/ssh_host_dsa_key -N '' || return 1
- fi
- if [ ! -e "${SSHD_CONFDIR}"/ssh_host_rsa_key ] ; then
- einfo "Generating RSA-Hostkey..."
- /usr/bin/ssh-keygen -t rsa -f "${SSHD_CONFDIR}"/ssh_host_rsa_key -N '' || return 1
- fi
- return 0
-}
-
-start() {
- local myopts=""
- [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
- && myopts="${myopts} -o PidFile=${SSHD_PIDFILE}"
- [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \
- && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config"
-
- checkconfig || return 1
- ebegin "Starting ${SVCNAME}"
- start-stop-daemon --start --exec "${SSHD_BINARY}" \
- --pidfile "${SSHD_PIDFILE}" \
- -- ${myopts} ${SSHD_OPTS}
- eend $?
-}
-
-stop() {
- if [ "${RC_CMD}" = "restart" ] ; then
- checkconfig || return 1
- fi
-
- ebegin "Stopping ${SVCNAME}"
- start-stop-daemon --stop --exec "${SSHD_BINARY}" \
- --pidfile "${SSHD_PIDFILE}" --quiet
- eend $?
-}
-
-reload() {
- ebegin "Reloading ${SVCNAME}"
- start-stop-daemon --stop --signal HUP --oknodo \
- --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
- eend $?
-}
diff --git a/net-misc/openssh/openssh-5.2_p1-r1.ebuild b/net-misc/openssh/openssh-5.2_p1-r1.ebuild
deleted file mode 100644
index deb4dde3..00000000
--- a/net-misc/openssh/openssh-5.2_p1-r1.ebuild
+++ /dev/null
@@ -1,224 +0,0 @@
-# Copyright 1999-2009 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-5.2_p1-r1.ebuild,v 1.10 2009/04/12 22:39:03 vapier Exp $
-
-inherit eutils flag-o-matic multilib autotools pam
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_/}
-
-#HPN_PATCH="${PARCH/2/1}-hpn13v5.diff.gz"
-LDAP_PATCH="${PARCH/openssh/openssh-lpk}-0.3.11.patch.gz"
-PKCS11_PATCH="${PARCH/p1}pkcs11-0.26.tar.bz2"
-X509_VER="6.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- http://www.sxw.org.uk/computing/patches/openssh-5.0p1-gsskex-20080404.patch
- ${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )}
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
- ${PKCS11_PATCH:+pkcs11? ( http://alon.barlev.googlepages.com/${PKCS11_PATCH} )}
- ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}"
-
-LICENSE="as-is"
-SLOT="0"
-KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
-IUSE="hpn kerberos ldap libedit pam pkcs11 selinux skey smartcard static tcpd X X509"
-
-RDEPEND="pam? ( virtual/pam )
- kerberos? ( virtual/krb5 )
- selinux? ( >=sys-libs/libselinux-1.28 )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- ldap? ( net-nds/openldap )
- libedit? ( dev-libs/libedit )
- >=dev-libs/openssl-0.9.6d
- >=sys-libs/zlib-1.2.3
- smartcard? ( dev-libs/opensc )
- pkcs11? ( dev-libs/pkcs11-helper )
- tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
- X? ( x11-apps/xauth )
- userland_GNU? ( sys-apps/shadow )"
-DEPEND="${RDEPEND}
- dev-util/pkgconfig
- virtual/os-headers
- sys-devel/autoconf"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )"
-PROVIDE="virtual/ssh"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && use ${1} && echo ${1} ; }
- local fail="
- $(maybe_fail ldap LDAP_PATCH)
- $(maybe_fail pkcs11 PKCS11_PATCH)
- $(maybe_fail X509 X509_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
- fi
-}
-
-src_unpack() {
- unpack ${PARCH}.tar.gz
- cd "${S}"
-
- sed -i \
- -e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
- pathnames.h || die
-
- if use pkcs11 ; then
- cd "${WORKDIR}"
- unpack "${PKCS11_PATCH}"
- cd "${S}"
- EPATCH_OPTS="-p1" epatch "${WORKDIR}"/*pkcs11*/{1,2,4}*
- use X509 && EPATCH_OPTS="-R" epatch "${WORKDIR}"/*pkcs11*/1000_all_log.patch
- fi
- use X509 && epatch "${DISTDIR}"/${X509_PATCH}
- use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch
- if ! use X509 ; then
- if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
- # The patch for bug 210110 64-bit stuff is now included.
- epatch "${DISTDIR}"/${LDAP_PATCH}
- # Not needed anymore of 0.3.11. Merged into the main patch.
- #epatch "${FILESDIR}"/${PN}-5.1_p1-ldap-hpn-glue.patch
- fi
- #epatch "${DISTDIR}"/openssh-5.0p1-gsskex-20080404.patch #115553 #216932
- else
- use ldap && ewarn "Sorry, X509 and ldap don't get along, disabling ldap"
- fi
- epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- [[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH}
- epatch "${FILESDIR}"/${PN}-4.7p1-selinux.diff #191665
- use ldap && epatch "${FILESDIR}"/${P}-BJA-ldap-stdargs.diff
-
- sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die
-
- # Disable PATH reset, trust what portage gives us. bug 254615
- sed -i -e 's:^PATH=/:#PATH=/:' configure || die
-
- eautoreconf
-}
-
-src_compile() {
- addwrite /dev/ptmx
- addpredict /etc/skey/skeykeys #skey configure code triggers this
-
- local myconf=""
- if use static ; then
- append-ldflags -static
- use pam && ewarn "Disabling pam support becuse of static flag"
- myconf="${myconf} --without-pam"
- else
- myconf="${myconf} $(use_with pam)"
- fi
-
- econf \
- --with-ldflags="${LDFLAGS}" \
- --disable-strip \
- --sysconfdir=/etc/ssh \
- --libexecdir=/usr/$(get_libdir)/misc \
- --datadir=/usr/share/openssh \
- --with-privsep-path=/var/empty \
- --with-privsep-user=sshd \
- --with-md5-passwords \
- --with-ssl-engine \
- $(use_with kerberos kerberos5 /usr) \
- ${LDAP_PATCH:+$(use ldap && use_with ldap)} \
- $(use_with libedit) \
- ${PKCS11_PATCH:+$(use pkcs11 && use_with pkcs11)} \
- $(use_with selinux) \
- $(use_with skey) \
- $(use_with smartcard opensc) \
- $(use_with tcpd tcp-wrappers) \
- ${myconf} \
- || die "bad configure"
- emake || die "compile problem"
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}" || die
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd.rc6 sshd
- newconfd "${FILESDIR}"/sshd.confd sshd
- keepdir /var/empty
-
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${D}"/etc/ssh/sshd_config || die "sed of configuration file failed"
- fi
-
- doman contrib/ssh-copy-id.1
- dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-}
-
-src_test() {
- local t tests skipped failed passed shell
- tests="interop-tests compat-tests"
- skipped=""
- shell=$(getent passwd ${UID} | cut -d: -f7)
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite"
- elog "requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped="${skipped} tests"
- else
- tests="${tests} tests"
- fi
- for t in ${tests} ; do
- # Some tests read from stdin ...
- emake -k -j1 ${t} </dev/null \
- && passed="${passed}${t} " \
- || failed="${failed}${t} "
- done
- einfo "Passed tests: ${passed}"
- ewarn "Skipped tests: ${skipped}"
- if [[ -n ${failed} ]] ; then
- ewarn "Failed tests: ${failed}"
- die "Some tests failed: ${failed}"
- else
- einfo "Failed tests: ${failed}"
- return 0
- fi
-}
-
-pkg_postinst() {
- enewgroup sshd 22
- enewuser sshd 22 -1 /var/empty sshd
-
- # help fix broken perms caused by older ebuilds.
- # can probably cut this after the next stage release.
- chmod u+x "${ROOT}"/etc/skel/.ssh >& /dev/null
-
- ewarn "Remember to merge your config files in /etc/ssh/ and then"
- ewarn "restart sshd: '/etc/init.d/sshd restart'."
- if use pam ; then
- echo
- ewarn "Please be aware users need a valid shell in /etc/passwd"
- ewarn "in order to be allowed to login."
- fi
- if use pkcs11 ; then
- echo
- einfo "For PKCS#11 you should also emerge one of the askpass softwares"
- einfo "Example: net-misc/x11-ssh-askpass"
- fi
-}