Pullup ticket #5178 - requested by taca

security/openssh: security fix

Revisions pulled up:
- security/openssh/Makefile                                     1.250
- security/openssh/distinfo                                     1.103
- security/openssh/options.mk                                   1.34
- security/openssh/patches/patch-auth1.c                        deleted
- security/openssh/patches/patch-clientloop.c                   1.5
- security/openssh/patches/patch-openbsd-compat_bsd-openpty.c   1.4
- security/openssh/patches/patch-session.c                      1.8
- security/openssh/patches/patch-sshd.c                         1.8

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Dec 30 04:43:16 UTC 2016

   Modified Files:
   	pkgsrc/security/openssh: Makefile distinfo options.mk
   	pkgsrc/security/openssh/patches: patch-clientloop.c
   	    patch-openbsd-compat_bsd-openpty.c patch-session.c patch-sshd.c
   Removed Files:
   	pkgsrc/security/openssh/patches: patch-auth1.c

   Log Message:
   Update openssh to 7.4.1 (7.4p1), including security fixes.

   For full changes, please refer ChangeLog file.

   Future deprecation notice
   =========================

   We plan on retiring more legacy cryptography in future releases,
   specifically:

    * In approximately August 2017, removing remaining support for the
      SSH v.1 protocol (client-only and currently compile-time disabled).

    * In the same release, removing support for Blowfish and RC4 ciphers
      and the RIPE-MD160 HMAC. (These are currently run-time disabled).

    * Refusing all RSA keys smaller than 1024 bits (the current minimum
      is 768 bits)

    * The next release of OpenSSH will remove support for running sshd(8)
      with privilege separation disabled.

    * The next release of portable OpenSSH will remove support for
      OpenSSL version prior to 1.0.1.

   This list reflects our current intentions, but please check the final
   release notes for future releases.

   Potentially-incompatible changes
   ================================

   This release includes a number of changes that may affect existing
   configurations:

    * This release removes server support for the SSH v.1 protocol.

    * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
      block ciphers are not safe in 2016 and we don't want to wait until
      attacks like SWEET32 are extended to SSH. As 3des-cbc was the
      only mandatory cipher in the SSH RFCs, this may cause problems
      connecting to older devices using the default configuration,
      but it's highly likely that such devices already need explicit
      configuration for key exchange and hostkey algorithms already
      anyway.

    * sshd(8): Remove support for pre-authentication compression.
      Doing compression early in the protocol probably seemed reasonable
      in the 1990s, but today it's clearly a bad idea in terms of both
      cryptography (cf. multiple compression oracle attacks in TLS) and
      attack surface. Pre-auth compression support has been disabled by
      default for >10 years. Support remains in the client.

    * ssh-agent will refuse to load PKCS#11 modules outside a whitelist
      of trusted paths by default. The path whitelist may be specified
      at run-time.

    * sshd(8): When a forced-command appears in both a certificate and
      an authorized keys/principals command= restriction, sshd will now
      refuse to accept the certificate unless they are identical.
      The previous (documented) behaviour of having the certificate
      forced-command override the other could be a bit confusing and
      error-prone.

    * sshd(8): Remove the UseLogin configuration directive and support
      for having /bin/login manage login sessions.

   Changes since OpenSSH 7.3
   =========================

   This is primarily a bugfix release.

   Security
   --------

    * ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
      outside a trusted whitelist (run-time configurable). Requests to
      load modules could be passed via agent forwarding and an attacker
      could attempt to load a hostile PKCS#11 module across the forwarded
      agent channel: PKCS#11 modules are shared libraries, so this would
      result in code execution on the system running the ssh-agent if the
      attacker has control of the forwarded agent-socket (on the host
      running the sshd server) and the ability to write to the filesystem
      of the host running ssh-agent (usually the host running the ssh
      client). Reported by Jann Horn of Project Zero.

    * sshd(8): When privilege separation is disabled, forwarded Unix-
      domain sockets would be created by sshd(8) with the privileges of
      'root' instead of the authenticated user. This release refuses
      Unix-domain socket forwarding when privilege separation is disabled
      (Privilege separation has been enabled by default for 14 years).
      Reported by Jann Horn of Project Zero.

    * sshd(8): Avoid theoretical leak of host private key material to
      privilege-separated child processes via realloc() when reading
      keys. No such leak was observed in practice for normal-sized keys,
      nor does a leak to the child processes directly expose key material
      to unprivileged users. Reported by Jann Horn of Project Zero.

    * sshd(8): The shared memory manager used by pre-authentication
      compression support had a bounds checks that could be elided by
      some optimising compilers. Additionally, this memory manager was
      incorrectly accessible when pre-authentication compression was
      disabled. This could potentially allow attacks against the
      privileged monitor process from the sandboxed privilege-separation
      process (a compromise of the latter would be required first).
      This release removes support for pre-authentication compression
      from sshd(8). Reported by Guido Vranken using the Stack unstable
      optimisation identification tool (http://css.csail.mit.edu/stack/)

    * sshd(8): Fix denial-of-service condition where an attacker who
      sends multiple KEXINIT messages may consume up to 128MB per
      connection. Reported by Shi Lei of Gear Team, Qihoo 360.

    * sshd(8): Validate address ranges for AllowUser and DenyUsers
      directives at configuration load time and refuse to accept invalid
      ones. It was previously possible to specify invalid CIDR address
      ranges (e.g. user@127.1.2.3/55) and these would always match,
      possibly resulting in granting access where it was not intended.
      Reported by Laurence Parry.

8 files changed, 62 insertions, 93 deletions

diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 119a1c9b55c..95b3d6ba0aa 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.249 2016/09/18 17:30:10 taca Exp $
+# $NetBSD: Makefile,v 1.249.4.1 2017/01/08 11:05:07 bsiegert Exp $
 
-DISTNAME=		openssh-7.3p1
+DISTNAME=		openssh-7.4p1
 PKGNAME=		${DISTNAME:S/p1/.1/}
 CATEGORIES=		security
 MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index f776fb466d5..bd1d5f31174 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,32 +1,31 @@
-$NetBSD: distinfo,v 1.102 2016/09/18 17:30:10 taca Exp $
+$NetBSD: distinfo,v 1.102.4.1 2017/01/08 11:05:07 bsiegert Exp $
 
-SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
-RMD160 (openssh-7.3p1.tar.gz) = 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13
-SHA512 (openssh-7.3p1.tar.gz) = 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801
-Size (openssh-7.3p1.tar.gz) = 1522617 bytes
+SHA1 (openssh-7.4p1.tar.gz) = 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
+RMD160 (openssh-7.4p1.tar.gz) = dff996c9f7ab697a04968fbd8924642253bc0e06
+SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
+Size (openssh-7.4p1.tar.gz) = 1511780 bytes
 SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
 SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
 SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
-SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374
 SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
 SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
-SHA1 (patch-clientloop.c) = 9b2db181d964b7720e1dc12724a9b9033f28d0e7
+SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
 SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
 SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
 SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
 SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
 SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
-SHA1 (patch-openbsd-compat_bsd-openpty.c) = eaac72830e36e307c19a7b679e6018ece9aebaac
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
 SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
 SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee
 SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
 SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
-SHA1 (patch-session.c) = 850cef27299cf8af6a19987d5e070bf501cd57fb
+SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93
 SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
 SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca
 SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
-SHA1 (patch-sshd.c) = cd23ce269bfb48b0caa901e62fc01d35ef0618ac
+SHA1 (patch-sshd.c) = a1ccf7e54275629965d80d9cf7cd8669d9f1f4cf
 SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
 SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e
diff --git a/security/openssh/options.mk b/security/openssh/options.mk
index eb169e3096e..314ee4858df 100644
--- a/security/openssh/options.mk
+++ b/security/openssh/options.mk
@@ -1,9 +1,9 @@
-# $NetBSD: options.mk,v 1.33 2016/07/10 10:41:38 rillig Exp $
+# $NetBSD: options.mk,v 1.33.4.1 2017/01/08 11:05:07 bsiegert Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.openssh
-PKG_SUPPORTED_OPTIONS=	hpn-patch kerberos openssl pam
+PKG_SUPPORTED_OPTIONS=	kerberos openssl pam
 PKG_SUGGESTED_OPTIONS=	openssl
 
 .include "../../mk/bsd.options.mk"
@@ -23,11 +23,11 @@ CONFIGURE_ENV+=		ac_cv_search_k_hasafs=no
 .  endif
 .endif
 
-.if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=		openssh-7.1p1-hpn-20150822.diff.bz2
-PATCH_SITES=		ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
-PATCH_DIST_STRIP=	-p1
-.endif
+#.if !empty(PKG_OPTIONS:Mhpn-patch)
+#PATCHFILES=		openssh-7.1p1-hpn-20150822.diff.bz2
+#PATCH_SITES=		ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
+#PATCH_DIST_STRIP=	-p1
+#.endif
 
 PLIST_VARS+=	pam
 
diff --git a/security/openssh/patches/patch-auth1.c b/security/openssh/patches/patch-auth1.c
deleted file mode 100644
index 011c4bb54db..00000000000
--- a/security/openssh/patches/patch-auth1.c
+++ /dev/null
@@ -1,26 +0,0 @@
-$NetBSD: patch-auth1.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
-
-Replace uid 0 with ROOTUID macro
-
---- auth1.c.orig	2015-08-21 04:49:03.000000000 +0000
-+++ auth1.c
-@@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt)
- 
- #ifndef HAVE_CYGWIN
- 		/* Special handling for root */
--		if (authenticated && authctxt->pw->pw_uid == 0 &&
-+		if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
- 		    !auth_root_allowed(meth->name)) {
-  			authenticated = 0;
- # ifdef SSH_AUDIT_EVENTS
-@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt)
- 	 * If we are not running as root, the user must have the same uid as
- 	 * the server.
- 	 */
--#ifndef HAVE_CYGWIN
--	if (!use_privsep && getuid() != 0 && authctxt->pw &&
-+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
-+	if (!use_privsep && getuid() != ROOTUID && authctxt->pw &&
- 	    authctxt->pw->pw_uid != getuid())
- 		packet_disconnect("Cannot change user when server not running as root.");
- #endif
diff --git a/security/openssh/patches/patch-clientloop.c b/security/openssh/patches/patch-clientloop.c
index e615c28f34a..257176bf10e 100644
--- a/security/openssh/patches/patch-clientloop.c
+++ b/security/openssh/patches/patch-clientloop.c
@@ -1,12 +1,12 @@
-$NetBSD: patch-clientloop.c,v 1.4 2016/03/15 20:54:07 bsiegert Exp $
+$NetBSD: patch-clientloop.c,v 1.4.8.1 2017/01/08 11:05:07 bsiegert Exp $
 
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 
 https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
 
---- clientloop.c.orig	2016-03-09 18:04:48.000000000 +0000
+--- clientloop.c.orig	2016-12-19 04:59:41.000000000 +0000
 +++ clientloop.c
-@@ -313,6 +313,10 @@ client_x11_get_proto(const char *display
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
  	struct stat st;
  	u_int now, x11_timeout_real;
  
@@ -17,7 +17,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
  	*_proto = proto;
  	*_data = data;
  	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
-@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display
+@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
  	}
  
  	if (xauth_path != NULL) {
@@ -51,9 +51,9 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
  		/*
  		 * Handle FamilyLocal case where $DISPLAY does
  		 * not match an authorization entry.  For this we
-@@ -438,6 +469,9 @@ client_x11_get_proto(const char *display
- 	if (!got_data) {
- 		u_int32_t rnd = 0;
+@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
+ 		u_int8_t rnd[16];
+ 		u_int i;
  
 +#if __APPLE__
 +		if (!is_path_to_socket)
diff --git a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
index 05c46daa46a..8f23baa5509 100644
--- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
+++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
@@ -1,25 +1,21 @@
-$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3.8.1 2017/01/08 11:05:07 bsiegert Exp $
 
 Interix support
 
---- openbsd-compat/bsd-openpty.c.orig	2015-08-21 04:49:03.000000000 +0000
+--- openbsd-compat/bsd-openpty.c.orig	2016-12-19 04:59:41.000000000 +0000
 +++ openbsd-compat/bsd-openpty.c
-@@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char 
+@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char 
  		return (-1);
  	}
  
 +#if !defined(HAVE_INTERIX)
  	/*
- 	 * Try to push the appropriate streams modules, as described 
+ 	 * Try to push the appropriate streams modules, as described
  	 * in Solaris pts(7).
- 	 */
- 	ioctl(*aslave, I_PUSH, "ptem");
- 	ioctl(*aslave, I_PUSH, "ldterm");
--# ifndef __hpux
-+  # ifndef __hpux
+@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char 
+ # ifndef __hpux
  	ioctl(*aslave, I_PUSH, "ttcompat");
--# endif /* __hpux */
-+  # endif /* __hpux */
+ # endif /* __hpux */
 +#endif /* !HAVE_INTERIX */
  
  	return (0);
diff --git a/security/openssh/patches/patch-session.c b/security/openssh/patches/patch-session.c
index 5666fd2151a..db1345ee135 100644
--- a/security/openssh/patches/patch-session.c
+++ b/security/openssh/patches/patch-session.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $
+$NetBSD: patch-session.c,v 1.7.4.1 2017/01/08 11:05:07 bsiegert Exp $
 
 * Interix support.
 
---- session.c.orig	2016-07-27 22:54:27.000000000 +0000
+--- session.c.orig	2016-12-19 04:59:41.000000000 +0000
 +++ session.c
-@@ -1120,7 +1120,7 @@ read_etc_default_login(char ***env, u_in
+@@ -934,7 +934,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
  		return;
  
@@ -13,16 +13,16 @@ $NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $
  		var = child_get_env(tmpenv, "SUPATH");
  	else
  		var = child_get_env(tmpenv, "PATH");
-@@ -1230,7 +1230,7 @@ do_setup_env(Session *s, const char *she
+@@ -1042,7 +1042,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
- 		if (path == NULL || *path == '\0') {
- 			child_set_env(&env, &envsize, "PATH",
--			    s->pw->pw_uid == 0 ?
-+			    s->pw->pw_uid == ROOTUID ?
- 				SUPERUSER_PATH : _PATH_STDPATH);
- 		}
+ 	if (path == NULL || *path == '\0') {
+ 		child_set_env(&env, &envsize, "PATH",
+-		    s->pw->pw_uid == 0 ?  SUPERUSER_PATH : _PATH_STDPATH);
++		    s->pw->pw_uid == ROOTUID ?  SUPERUSER_PATH : _PATH_STDPATH);
+ 	}
  # endif /* HAVE_CYGWIN */
-@@ -1346,6 +1346,18 @@ do_setup_env(Session *s, const char *she
+ #endif /* HAVE_LOGIN_CAP */
+@@ -1154,6 +1154,18 @@ do_setup_env(Session *s, const char *she
  		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
  		read_environment_file(&env, &envsize, buf);
  	}
@@ -41,7 +41,7 @@ $NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $
  	if (debug_flag) {
  		/* dump the environment */
  		fprintf(stderr, "Environment:\n");
-@@ -1537,11 +1549,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1345,11 +1357,13 @@ do_setusercontext(struct passwd *pw)
  			perror("setgid");
  			exit(1);
  		}
@@ -55,7 +55,7 @@ $NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $
  		endgrent();
  #endif
  
-@@ -2388,7 +2402,7 @@ session_pty_cleanup2(Session *s)
+@@ -2148,7 +2162,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  
  	/* Release the pseudo-tty. */
diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c
index d57b45a10c4..dbba0a378a5 100644
--- a/security/openssh/patches/patch-sshd.c
+++ b/security/openssh/patches/patch-sshd.c
@@ -1,11 +1,11 @@
-$NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
+$NetBSD: patch-sshd.c,v 1.7.8.1 2017/01/08 11:05:07 bsiegert Exp $
 
 * Interix support
 * Revive tcp_wrappers support.
 
---- sshd.c.orig	2016-03-09 18:04:48.000000000 +0000
+--- sshd.c.orig	2016-12-19 04:59:41.000000000 +0000
 +++ sshd.c
-@@ -125,6 +125,13 @@
+@@ -123,6 +123,13 @@
  #include "version.h"
  #include "ssherr.h"
  
@@ -16,10 +16,10 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
 +int deny_severity;
 +#endif /* LIBWRAP */
 +
- #ifndef O_NOCTTY
- #define O_NOCTTY	0
- #endif
-@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
+@@ -220,7 +227,11 @@ int *startup_pipes = NULL;
  int startup_pipe;		/* in child */
  
  /* variables used for privilege separation */
@@ -31,7 +31,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
  struct monitor *pmonitor = NULL;
  int privsep_is_preauth = 1;
  
-@@ -632,7 +643,7 @@ privsep_preauth_child(void)
+@@ -541,7 +552,7 @@ privsep_preauth_child(void)
  	demote_sensitive_data();
  
  	/* Demote the child */
@@ -40,7 +40,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
  		/* Change our root directory */
  		if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
  			fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-@@ -643,10 +654,15 @@ privsep_preauth_child(void)
+@@ -552,10 +563,15 @@ privsep_preauth_child(void)
  		/* Drop our privileges */
  		debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
  		    (u_int)privsep_pw->pw_gid);
@@ -56,7 +56,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
  	}
  }
  
-@@ -713,10 +729,17 @@ privsep_preauth(Authctxt *authctxt)
+@@ -619,10 +635,17 @@ privsep_preauth(Authctxt *authctxt)
  		/* Arrange for logging to be sent to the monitor */
  		set_log_handler(mm_log_handler, pmonitor);
  
@@ -74,16 +74,16 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
  
  		return 0;
  	}
-@@ -730,7 +753,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -634,7 +657,7 @@ privsep_postauth(Authctxt *authctxt)
  #ifdef DISABLE_FD_PASSING
  	if (1) {
  #else
--	if (authctxt->pw->pw_uid == 0 || options.use_login) {
-+	if (authctxt->pw->pw_uid == ROOTUID || options.use_login) {
+-	if (authctxt->pw->pw_uid == 0) {
++	if (authctxt->pw->pw_uid == ROOTUID) {
  #endif
  		/* File descriptor passing is broken or root login */
  		use_privsep = 0;
-@@ -1497,8 +1520,10 @@ main(int ac, char **av)
+@@ -1389,8 +1412,10 @@ main(int ac, char **av)
  	av = saved_argv;
  #endif
  
@@ -95,7 +95,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
  
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
-@@ -1925,7 +1950,7 @@ main(int ac, char **av)
+@@ -1766,7 +1791,7 @@ main(int ac, char **av)
  		    (st.st_uid != getuid () ||
  		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
  #else
@@ -104,7 +104,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
  #endif
  			fatal("%s must be owned by root and not group or "
  			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1948,8 +1973,10 @@ main(int ac, char **av)
+@@ -1789,8 +1814,10 @@ main(int ac, char **av)
  	 * to create a file, and we can't control the code in every
  	 * module which might be used).
  	 */
@@ -115,7 +115,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
  
  	if (rexec_flag) {
  		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
-@@ -2145,6 +2172,25 @@ main(int ac, char **av)
+@@ -1972,6 +1999,25 @@ main(int ac, char **av)
  	audit_connection_from(remote_ip, remote_port);
  #endif