summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorhubertf <hubertf@pkgsrc.org>1997-12-14 16:17:14 +0000
committerhubertf <hubertf@pkgsrc.org>1997-12-14 16:17:14 +0000
commit43efe0593ab76f5e81767f05a92acfee07909ba8 (patch)
tree382869867dbf6faa175f20f1f3cfddd1c93bded3 /security
parent1eedf0651d1e976611f2669efe4ac879586636a7 (diff)
downloadpkgsrc-43efe0593ab76f5e81767f05a92acfee07909ba8.tar.gz
Secure Shell package; Originally taken from FreeBSD, hacked by agc and
finished by me.
Diffstat (limited to 'security')
-rw-r--r--security/ssh/Makefile142
-rw-r--r--security/ssh/files/md52
-rw-r--r--security/ssh/patches/patch-aa19
-rw-r--r--security/ssh/patches/patch-ab51
-rw-r--r--security/ssh/patches/patch-ac92
-rw-r--r--security/ssh/patches/patch-ae19
-rw-r--r--security/ssh/patches/patch-af423
-rw-r--r--security/ssh/patches/patch-ah14
-rw-r--r--security/ssh/patches/patch-ai40
-rw-r--r--security/ssh/patches/patch-aj40
-rw-r--r--security/ssh/patches/patch-al27
-rw-r--r--security/ssh/patches/patch-ao13
-rw-r--r--security/ssh/pkg/COMMENT1
-rw-r--r--security/ssh/pkg/DESCR99
-rw-r--r--security/ssh/pkg/PLIST27
15 files changed, 1009 insertions, 0 deletions
diff --git a/security/ssh/Makefile b/security/ssh/Makefile
new file mode 100644
index 00000000000..58cb00c1556
--- /dev/null
+++ b/security/ssh/Makefile
@@ -0,0 +1,142 @@
+# New ports collection makefile for: ssh
+# Version required: 1.2.21
+# Date created: 19971214
+# Whom: hubertf@netbsd.org
+#
+# $NetBSD: Makefile,v 1.1.1.1 1997/12/14 16:17:14 hubertf Exp $
+# FreeBSD Id: Makefile,v 1.47 1997/11/10 22:04:42 dima Exp
+#
+# Maximal ssh package requires YES values for
+# USE_PERL, USE_TCPWRAP
+#
+
+DISTNAME= ssh-1.2.21
+CATEGORIES= security net
+MASTER_SITES= ftp://ftp.funet.fi/pub/unix/security/login/ssh/
+
+MAINTAINER= hubertf@netbsd.org
+
+# You can set USA_RESIDENT appropriately in /etc/make.conf if this bugs you..
+.if !defined(USA_RESIDENT)
+USA_RESIDENT= NO
+.endif
+
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+DISTFILES= ${DISTNAME}.tar.gz rsaref2.tar.gz
+MASTER_SITES= \
+ ftp://ftp.funet.fi/pub/unix/security/login/ssh/ \
+ ftp://nic.funet.fi/pub/crypt/mirrors/ftp.dsi.unimi.it/applied-crypto/ \
+ ftp://rzsun2.informatik.uni-hamburg.de/pub/virus/crypt/ripem/ \
+ ftp://idea.sec.dsi.unimi.it/pub/security/crypt/math/ \
+ ftp://ftp.univie.ac.at/security/crypt/cryptography/asymmetric/rsa/ \
+ ftp://isdec.vc.cvut.cz/pub/security/unimi/crypt/applied-crypto/
+.endif
+
+RESTRICTED= "Crypto; export-controlled"
+IS_INTERACTIVE= YES
+
+GNU_CONFIGURE= YES
+
+CONFIGURE_ARGS= --prefix=${PREFIX} --with-etcdir=${PREFIX}/etc
+
+#Uncomment if all your users are in their own group and their homedir
+#is writeable by that group. Beware the security implications!
+#CONFIGURE_ARGS+= --enable-group-writeability
+
+#Uncomment if you want to allow ssh to emulate an unencrypted rsh connection
+#over a secure medium. This is normally dangerous since it can lead to the
+#disclosure keys and passwords.
+#CONFIGURE_ARGS+= --with-none
+
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+CONFIGURE_ARGS+= --with-rsaref
+.endif
+
+# Include support for the SecureID card
+# Warning: untested !
+.if defined(USE_SECUREID) && ${USE_SECUREID} == YES
+CONFIGURE_ARGS+= --with-secureid
+.endif
+
+# Don't use IDEA. IDEA can be freely used for non-commercial use. However,
+# commercial use may require a licence in a number of countries
+# Warning: untested !
+.if defined(DONT_USE_IDEA) && ${DONT_USE_IDEA} == YES
+CONFIGURE_ARGS+= --without-idea
+.endif
+
+MAN1= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 \
+ make-ssh-known-hosts.1
+MAN8= sshd.8
+
+
+pre-patch:
+ @${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \
+ ${WRKSRC}/make-ssh-known-hosts.pl.in
+
+fetch-depends:
+.if !defined(USA_RESIDENT) || ${USA_RESIDENT} != YES && ${USA_RESIDENT} != NO
+ @echo
+ @echo You must set variable USA_RESIDENT to YES if you are a USA
+ @echo resident or NO otherwise.
+ @echo If you are a USA resident you have to get the RSAREF2
+ @echo library \(RSA Inc. holds a patent on RSA and public key
+ @echo cypto in general - using RSA implementations other than
+ @echo RSAREF will violate the US patent law\)
+ @echo and extract it to ${WRKSRC}.
+ @false
+.endif
+
+post-extract:
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+ @mv ${WRKDIR}/rsaref2 ${WRKSRC}/rsaref2
+.endif
+
+post-install:
+ @ln -sf /etc/ssh_host_key ${PREFIX}/etc
+ @ln -sf /etc/ssh_host_key.pub ${PREFIX}/etc
+ @if [ ! -f ${PREFIX}/etc/ssh_host_key ]; then \
+ echo "Generating a secret host key..."; \
+ ${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ""; \
+ fi
+.if defined(MANZ)
+ rm -f ${PREFIX}/man/man1/slogin.1.gz
+ ln -sf ssh.1.gz ${PREFIX}/man/man1/slogin.1.gz
+.else
+ rm -f ${PREFIX}/man/man1/slogin.1
+ ln -sf ssh.1 ${PREFIX}/man/man1/slogin.1
+.endif
+# @if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
+# echo "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \
+# echo "#!/bin/sh" > ${PREFIX}/etc/rc.d/sshd.sh; \
+# echo "[ -f ${PREFIX}/etc/ssh_host_key ] || ${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ''" >> ${PREFIX}/etc/rc.d/sshd.sh; \
+# echo "[ -x ${PREFIX}/sbin/sshd ] && ${PREFIX}/sbin/sshd && echo -n ' sshd'" >> ${PREFIX}/etc/rc.d/sshd.sh; \
+# chmod 755 ${PREFIX}/etc/rc.d/sshd.sh; \
+# fi
+
+.include <bsd.port.mk>
+
+# Following stuff must be after <bsd.port.mk> to expand exists() properly
+
+.if defined(USE_PERL) && ${USE_PERL} == YES || \
+ exists(${PREFIX}/bin/perl5.00401) && \
+ (!defined(USE_PERL) || ${USE_PERL} != NO)
+BUILD_DEPENDS+= perl5.00404:${PORTSDIR}/lang/perl5
+CONFIGURE_ENV+= PERL=${PREFIX}/bin/perl5.00404
+.else
+CONFIGURE_ENV+= PERL=/replace_it_with_PERL_path
+.endif
+
+# Include tcp-wrapper support (call remote identd)
+.if defined(USE_TCPWRAP) && ${USE_TCPWRAP} == YES || \
+ exists(${PREFIX}/lib/libwrap.a) && \
+ (!defined(USE_TCPWRAP) || ${USE_TCPWRAP} != NO)
+CONFIGURE_ENV+= LDFLAGS=-L${PREFIX}/lib CFLAGS="${CFLAGS} -I${PREFIX}/include"
+CONFIGURE_ARGS+= --with-libwrap
+LIB_DEPENDS+= wrap\\.7\\.:${PORTSDIR}/security/tcp_wrapper
+.endif
+
+# Include SOCKS firewall support
+.if defined(USE_SOCKS) && ${USE_SOCKS} == YES
+CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5"
+.endif
diff --git a/security/ssh/files/md5 b/security/ssh/files/md5
new file mode 100644
index 00000000000..a539987481f
--- /dev/null
+++ b/security/ssh/files/md5
@@ -0,0 +1,2 @@
+MD5 (ssh-1.2.21.tar.gz) = 881f612cd3598b5370545ab2ad808795
+MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d
diff --git a/security/ssh/patches/patch-aa b/security/ssh/patches/patch-aa
new file mode 100644
index 00000000000..83e9968ac31
--- /dev/null
+++ b/security/ssh/patches/patch-aa
@@ -0,0 +1,19 @@
+*** make-ssh-known-hosts.pl.in.orig Wed Apr 23 08:40:05 1997
+--- make-ssh-known-hosts.pl.in Fri Apr 25 12:38:21 1997
+***************
+*** 87,93 ****
+ $debug = 5;
+ $defserver = '';
+ $bell='\a';
+! $public_key = '/etc/ssh_host_key.pub';
+ $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
+ $timeout = 60;
+ $ping_timeout = 3;
+--- 87,93 ----
+ $debug = 5;
+ $defserver = '';
+ $bell='\a';
+! $public_key = '@ETCDIR@/ssh_host_key.pub';
+ $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
+ $timeout = 60;
+ $ping_timeout = 3;
diff --git a/security/ssh/patches/patch-ab b/security/ssh/patches/patch-ab
new file mode 100644
index 00000000000..dba02a731c0
--- /dev/null
+++ b/security/ssh/patches/patch-ab
@@ -0,0 +1,51 @@
+*** configure.orig Wed Apr 23 08:40:06 1997
+--- configure Fri Apr 25 12:38:54 1997
+***************
+*** 1757,1768 ****
+
+ export CFLAGS CC
+
+- # Socket pairs appear to be broken on several systems. I don't know exactly
+- # where, so I'll use pipes everywhere for now.
+- cat >> confdefs.h <<\EOF
+- #define USE_PIPES 1
+- EOF
+-
+
+ echo $ac_n "checking that the compiler works""... $ac_c" 1>&6
+ echo "configure:1769: checking that the compiler works" >&5
+--- 1757,1762 ----
+***************
+*** 2759,2765 ****
+
+ fi
+
+! for ac_hdr in unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+--- 2753,2759 ----
+
+ fi
+
+! for ac_hdr in unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+***************
+*** 7031,7037 ****
+
+ cat >> $CONFIG_STATUS <<EOF
+
+! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile"}
+ EOF
+ cat >> $CONFIG_STATUS <<\EOF
+ for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
+--- 7025,7031 ----
+
+ cat >> $CONFIG_STATUS <<EOF
+
+! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl"}
+ EOF
+ cat >> $CONFIG_STATUS <<\EOF
+ for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
diff --git a/security/ssh/patches/patch-ac b/security/ssh/patches/patch-ac
new file mode 100644
index 00000000000..6027311b99d
--- /dev/null
+++ b/security/ssh/patches/patch-ac
@@ -0,0 +1,92 @@
+--- Makefile.in.orig Fri Aug 22 01:28:42 1997
++++ Makefile.in Mon Nov 24 15:14:18 1997
+@@ -263,8 +263,10 @@
+ GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
+
+ ZLIBDIR = zlib-1.0.4
+-ZLIBDEP = $(ZLIBDIR)/libz.a
+-ZLIBLIBS = -L$(ZLIBDIR) -lz
++ZLIBINCDIR = /usr/include
++ZLIBLIBDIR = /usr/lib
++ZLIBDEP = $(ZLIBINCDIR)/libz.a
++ZLIBLIBS = -L$(ZLIBLIBDIR) -lz
+
+ RSAREFDIR = rsaref2
+ RSAREFSRCDIR = $(RSAREFDIR)/source
+@@ -368,7 +370,7 @@
+ $(CC) -o rfc-pg rfc-pg.o
+
+ .c.o:
+- $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
++ $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
+
+ sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
+ -rm -f sshd
+@@ -416,14 +418,14 @@
+ $(GMPDIR)/libgmp.a:
+ cd $(GMPDIR); $(MAKE)
+
+-$(ZLIBDEP):
+- -if test '!' -d $(ZLIBDIR); then \
+- mkdir $(ZLIBDIR); \
+- cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
+- fi
+- cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
+- CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
+- -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
++#$(ZLIBDEP):
++# -if test '!' -d $(ZLIBDIR); then \
++# mkdir $(ZLIBDIR); \
++# cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
++# fi
++# cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
++# CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
++# -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
+
+ $(RSAREFSRCDIR)/librsaref.a:
+ -if test '!' -d $(RSAREFDIR); then \
+@@ -480,7 +482,7 @@
+ # (otherwise it can only log in as the user it runs as, and must be
+ # bound to a non-privileged port). Also, password authentication may
+ # not be available if non-root and using shadow passwords.
+-install: $(PROGRAMS) make-dirs generate-host-key install-configs
++install: $(PROGRAMS) make-dirs install-configs
+ -rm -f $(install_prefix)$(bindir)/ssh.old
+ -mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old
+ -chmod 755 $(install_prefix)$(bindir)/ssh.old
+@@ -591,13 +593,13 @@
+ -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
+ cd $(GMPDIR); $(MAKE) clean
+ # cd $(RSAREFSRCDIR); rm -f *.o *.a
+- cd $(ZLIBDIR); $(MAKE) clean
++# cd $(ZLIBDIR); $(MAKE) clean
+
+ distclean: clean
+ -rm -f Makefile config.status config.cache config.log config.h
+ -rm -f ssh.1 sshd.8 make-ssh-known-hosts.1
+ cd $(GMPDIR); $(MAKE) distclean
+- cd $(ZLIBDIR); $(MAKE) distclean
++# cd $(ZLIBDIR); $(MAKE) distclean
+
+ dist: dist-free
+
+@@ -632,8 +634,8 @@
+ gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
+ # tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -)
+ # cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a
+- (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
+- cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
++# (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
++# cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
+
+ dist-free-make-tar:
+ tar pcf $(DISTNAME).tar $(DISTNAME)
+@@ -656,7 +658,7 @@
+ (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
+
+ depend:
+- $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS)
++ $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS)
+
+ tags:
+ -rm -f TAGS
diff --git a/security/ssh/patches/patch-ae b/security/ssh/patches/patch-ae
new file mode 100644
index 00000000000..6c0ffecd0dd
--- /dev/null
+++ b/security/ssh/patches/patch-ae
@@ -0,0 +1,19 @@
+*** server_config.sample.orig Thu Mar 27 09:04:06 1997
+--- server_config.sample Fri Mar 28 15:45:53 1997
+***************
+*** 16,22 ****
+ FascistLogging no
+ PrintMotd yes
+ KeepAlive yes
+! SyslogFacility DAEMON
+ RhostsAuthentication no
+ RhostsRSAAuthentication yes
+ RSAAuthentication yes
+--- 16,22 ----
+ FascistLogging no
+ PrintMotd yes
+ KeepAlive yes
+! SyslogFacility AUTH
+ RhostsAuthentication no
+ RhostsRSAAuthentication yes
+ RSAAuthentication yes
diff --git a/security/ssh/patches/patch-af b/security/ssh/patches/patch-af
new file mode 100644
index 00000000000..736cd569902
--- /dev/null
+++ b/security/ssh/patches/patch-af
@@ -0,0 +1,423 @@
+*** sshd.c.orig Wed Apr 23 04:40:08 1997
+--- sshd.c Wed Jun 11 14:56:57 1997
+***************
+*** 400,405 ****
+--- 400,409 ----
+ #include "firewall.h" /* TIS authsrv authentication */
+ #endif
+
++ #ifdef HAVE_LOGIN_CAP_H
++ #include <login_cap.h>
++ #endif
++
+ #ifdef _PATH_BSHELL
+ #define DEFAULT_SHELL _PATH_BSHELL
+ #else
+***************
+*** 1542,1547 ****
+--- 1546,1583 ----
+ endspent();
+ }
+ #endif /* HAVE_ETC_SHADOW */
++ #ifdef __FreeBSD__
++ {
++ time_t currtime;
++
++ if (pwd->pw_change || pwd->pw_expire)
++ currtime = time(NULL);
++
++ /*
++ * Check for an expired password
++ */
++ if (pwd->pw_change && pwd->pw_change <= currtime)
++ {
++ debug("Account %.100s's password is too old - forced to change.",
++ user);
++ if (options.forced_passwd_change)
++ forced_command = "/usr/bin/passwd";
++ else
++ {
++ return 0;
++ }
++ }
++
++ /*
++ * Check for expired account
++ */
++ if (pwd->pw_expire && pwd->pw_expire <= currtime)
++ {
++ debug("Account %.100s has expired - access denied.", user);
++ return 0;
++ }
++ }
++ #else /* !FreeBSD */
+ /*
+ * Check if account is locked. Check if encrypted password starts
+ * with "*LK*".
+***************
+*** 1553,1558 ****
+--- 1589,1595 ----
+ return 0;
+ }
+ }
++ #endif /* !FreeBSD */
+ #ifdef CHECK_ETC_SHELLS
+ {
+ int invalid = 1;
+***************
+*** 1698,1703 ****
+--- 1735,1743 ----
+ memset(&pwcopy, 0, sizeof(pwcopy));
+ pwcopy.pw_name = xstrdup(pw->pw_name);
+ pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
++ #ifdef HAVE_LOGIN_CAP_H
++ pwcopy.pw_class = xstrdup(pw->pw_class);
++ #endif
+ pwcopy.pw_uid = pw->pw_uid;
+ pwcopy.pw_gid = pw->pw_gid;
+ pwcopy.pw_dir = xstrdup(pw->pw_dir);
+***************
+*** 2654,2659 ****
+--- 2694,2702 ----
+ struct sockaddr_in from;
+ int fromlen;
+ struct pty_cleanup_context cleanup_context;
++ #ifdef HAVE_LOGIN_CAP_H
++ login_cap_t *lc;
++ #endif
+
+ /* We no longer need the child running on user's privileges. */
+ userfile_uninit();
+***************
+*** 2725,2735 ****
+ record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
+ &from);
+
+ /* Check if .hushlogin exists. Note that we cannot use userfile
+ here because we are in the child. */
+ sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
+ quiet_login = stat(line, &st) >= 0;
+!
+ /* If the user has logged in before, display the time of last login.
+ However, don't display anything extra if a command has been
+ specified (so that ssh can be used to execute commands on a remote
+--- 2768,2786 ----
+ record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
+ &from);
+
++ #ifdef HAVE_LOGIN_CAP_H
++ lc = login_getclass(pw->pw_class);
++ #endif
++
+ /* Check if .hushlogin exists. Note that we cannot use userfile
+ here because we are in the child. */
+ sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
+ quiet_login = stat(line, &st) >= 0;
+!
+! #ifdef HAVE_LOGIN_CAP_H
+! quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
+! #endif
+!
+ /* If the user has logged in before, display the time of last login.
+ However, don't display anything extra if a command has been
+ specified (so that ssh can be used to execute commands on a remote
+***************
+*** 2749,2754 ****
+--- 2800,2828 ----
+ printf("Last login: %s from %s\r\n", time_string, buf);
+ }
+
++ #ifdef __FreeBSD__
++ if (command == NULL && !quiet_login)
++ {
++ #ifdef HAVE_LOGIN_CAP_H
++ char *cw;
++ FILE *f;
++
++ cw = login_getcapstr(lc, "copyright", NULL, NULL);
++ if (cw != NULL && (f = fopen(cw, "r")) != NULL)
++ {
++ while (fgets(line, sizeof(line), f))
++ fputs(line, stdout);
++ fclose(f);
++ }
++ else
++ #endif
++ printf("%s\n\t%s %s\n\n",
++ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
++ "The Regents of the University of California. ",
++ "All rights reserved.");
++ }
++ #endif
++
+ /* Print /etc/motd unless a command was specified or printing it was
+ disabled in server options. Note that some machines appear to
+ print it in /etc/profile or similar. */
+***************
+*** 2758,2764 ****
+--- 2832,2842 ----
+ FILE *f;
+
+ /* Print /etc/motd if it exists. */
++ #ifdef HAVE_LOGIN_CAP_H
++ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r");
++ #else
+ f = fopen("/etc/motd", "r");
++ #endif
+ if (f)
+ {
+ while (fgets(line, sizeof(line), f))
+***************
+*** 2766,2771 ****
+--- 2844,2872 ----
+ fclose(f);
+ }
+ }
++ #ifdef __FreeBSD__
++ if (command == NULL && !quiet_login)
++ {
++ #ifdef broken_HAVE_LOGIN_CAP_H
++ char *mp = getenv("MAIL");
++
++ if (mp != NULL)
++ {
++ strncpy(line, mp, sizeof line);
++ line[sizeof line - 1] = '\0';
++ }
++ else
++ #endif
++ sprintf(line, "%s/%.200s", _PATH_MAILDIR, pw->pw_name);
++ if (stat(line, &st) == 0 && st.st_size != 0)
++ printf("You have %smail.\n",
++ (st.st_mtime > st.st_atime) ? "new " : "");
++ }
++ #endif
++
++ #ifdef HAVE_LOGIN_CAP_H
++ login_close(lc);
++ #endif
+
+ /* Do common processing for the child, such as execing the command. */
+ do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
+***************
+*** 3017,3023 ****
+ char *user_shell;
+ char *remote_ip;
+ int remote_port;
+!
+ /* Check /etc/nologin. */
+ f = fopen("/etc/nologin", "r");
+ if (f)
+--- 3118,3130 ----
+ char *user_shell;
+ char *remote_ip;
+ int remote_port;
+! #ifdef HAVE_LOGIN_CAP_H
+! login_cap_t *lc;
+! char *real_shell;
+!
+! lc = login_getclass(pw->pw_class);
+! auth_checknologin(lc);
+! #else /* !HAVE_LOGIN_CAP_H */
+ /* Check /etc/nologin. */
+ f = fopen("/etc/nologin", "r");
+ if (f)
+***************
+*** 3031,3036 ****
+--- 3138,3144 ----
+ if (pw->pw_uid != UID_ROOT)
+ exit(254);
+ }
++ #endif /* HAVE_LOGIN_CAP_H */
+
+ if (command != NULL)
+ {
+***************
+*** 3043,3049 ****
+ else
+ log_msg("executing remote command as user %.200s", pw->pw_name);
+ }
+!
+ #ifdef HAVE_SETLOGIN
+ /* Set login name in the kernel. Warning: setsid() must be called before
+ this. */
+--- 3151,3158 ----
+ else
+ log_msg("executing remote command as user %.200s", pw->pw_name);
+ }
+!
+! #ifndef HAVE_LOGIN_CAP_H
+ #ifdef HAVE_SETLOGIN
+ /* Set login name in the kernel. Warning: setsid() must be called before
+ this. */
+***************
+*** 3064,3069 ****
+--- 3173,3179 ----
+ if (setpcred((char *)pw->pw_name, NULL))
+ log_msg("setpcred %.100s: %.100s", strerror(errno));
+ #endif /* HAVE_USERSEC_H */
++ #endif /* !HAVE_LOGIN_CAP_H */
+
+ /* Save some data that will be needed so that we can do certain cleanups
+ before we switch to user's uid. (We must clear all sensitive data
+***************
+*** 3134,3139 ****
+--- 3244,3309 ----
+ if (command != NULL || !options.use_login)
+ #endif /* USELOGIN */
+ {
++ #ifdef HAVE_LOGIN_CAP_H
++ char *p, *s, **tmpenv;
++
++ /* Initialize the new environment.
++ */
++ envsize = 64;
++ env = xmalloc(envsize * sizeof(char *));
++ env[0] = NULL;
++
++ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH);
++
++ #ifdef MAIL_SPOOL_DIRECTORY
++ sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name);
++ child_set_env(&env, &envsize, "MAIL", buf);
++ #else /* MAIL_SPOOL_DIRECTORY */
++ #ifdef MAIL_SPOOL_FILE
++ sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE);
++ child_set_env(&env, &envsize, "MAIL", buf);
++ #endif /* MAIL_SPOOL_FILE */
++ #endif /* MAIL_SPOOL_DIRECTORY */
++
++ /* Let it inherit timezone if we have one. */
++ if (getenv("TZ"))
++ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
++
++ /* Save previous environment array
++ */
++ tmpenv = environ;
++ environ = env;
++
++ /* Set the user's login environment
++ */
++ if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0)
++ {
++ perror("setusercontext");
++ exit(1);
++ }
++
++ p = getenv("PATH");
++ s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR));
++ *s = '\0';
++ if (p != NULL)
++ {
++ strcat(s, p);
++ strcat(s, ":");
++ }
++ strcat(s, SSH_BINDIR);
++
++ env = environ;
++ environ = tmpenv; /* Restore parent environment */
++ for (envsize = 0; env[envsize] != NULL; ++envsize)
++ ;
++ /* Reallocate this to what is expected */
++ envsize = (envsize < 100) ? 100 : envsize + 16;
++ env = xrealloc(env, envsize * sizeof(char *));
++
++ child_set_env(&env, &envsize, "PATH", s);
++ xfree(s);
++
++ #else /* !HAVE_LOGIN_CAP_H */
+ /* Set uid, gid, and groups. */
+ if (getuid() == UID_ROOT || geteuid() == UID_ROOT)
+ {
+***************
+*** 3165,3170 ****
+--- 3335,3341 ----
+
+ if (getuid() != user_uid || geteuid() != user_uid)
+ fatal("Failed to set uids to %d.", (int)user_uid);
++ #endif /* HAVE_LOGIN_CAP_H */
+ }
+
+ /* Reset signals to their default settings before starting the user
+***************
+*** 3175,3185 ****
+--- 3346,3361 ----
+ and means /bin/sh. */
+ shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell;
+
++ #ifdef HAVE_LOGIN_CAP_H
++ real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell);
++ login_close(lc);
++ #else /* !HAVE_LOGIN_CAP_H */
+ /* Initialize the environment. In the first part we allocate space for
+ all environment variables. */
+ envsize = 100;
+ env = xmalloc(envsize * sizeof(char *));
+ env[0] = NULL;
++ #endif /* HAVE_LOGIN_CAP_H */
+
+ #ifdef USELOGIN
+ if (command != NULL || !options.use_login)
+***************
+*** 3189,3194 ****
+--- 3365,3372 ----
+ child_set_env(&env, &envsize, "HOME", user_dir);
+ child_set_env(&env, &envsize, "USER", user_name);
+ child_set_env(&env, &envsize, "LOGNAME", user_name);
++
++ #ifndef HAVE_LOGIN_CAP_H
+ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
+
+ #ifdef MAIL_SPOOL_DIRECTORY
+***************
+*** 3200,3205 ****
+--- 3378,3384 ----
+ child_set_env(&env, &envsize, "MAIL", buf);
+ #endif /* MAIL_SPOOL_FILE */
+ #endif /* MAIL_SPOOL_DIRECTORY */
++ #endif /* !HAVE_LOGIN_CAP_H */
+
+ #ifdef HAVE_ETC_DEFAULT_LOGIN
+ /* Read /etc/default/login; this exists at least on Solaris 2.x. Note
+***************
+*** 3215,3223 ****
+--- 3394,3404 ----
+ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
+ original_command);
+
++ #ifndef HAVE_LOGIN_CAP_H
+ /* Let it inherit timezone if we have one. */
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
++ #endif /* !HAVE_LOGIN_CAP_H */
+
+ /* Set custom environment options from RSA authentication. */
+ while (custom_environment)
+***************
+*** 3437,3443 ****
+--- 3618,3628 ----
+ /* Execute the shell. */
+ argv[0] = buf;
+ argv[1] = NULL;
++ #ifdef HAVE_LOGIN_CAP_H
++ execve(real_shell, argv, env);
++ #else
+ execve(shell, argv, env);
++ #endif /* HAVE_LOGIN_CAP_H */
+ /* Executing the shell failed. */
+ perror(shell);
+ exit(1);
+***************
+*** 3458,3464 ****
+--- 3643,3653 ----
+ argv[1] = "-c";
+ argv[2] = (char *)command;
+ argv[3] = NULL;
++ #ifdef HAVE_LOGIN_CAP_H
++ execve(real_shell, argv, env);
++ #else
+ execve(shell, argv, env);
++ #endif /* HAVE_LOGIN_CAP_H */
+ perror(shell);
+ exit(1);
+ }
diff --git a/security/ssh/patches/patch-ah b/security/ssh/patches/patch-ah
new file mode 100644
index 00000000000..c06b14c7541
--- /dev/null
+++ b/security/ssh/patches/patch-ah
@@ -0,0 +1,14 @@
+*** config.h.in.orig Wed Apr 23 08:40:06 1997
+--- config.h.in Fri Apr 25 12:40:48 1997
+***************
+*** 527,532 ****
+--- 527,535 ----
+ /* Define if you have the <lastlog.h> header file. */
+ #undef HAVE_LASTLOG_H
+
++ /* Define if you have the <login_cap.h> header file. */
++ #undef HAVE_LOGIN_CAP_H
++
+ /* Define if you have the <machine/endian.h> header file. */
+ #undef HAVE_MACHINE_ENDIAN_H
+
diff --git a/security/ssh/patches/patch-ai b/security/ssh/patches/patch-ai
new file mode 100644
index 00000000000..241dbf31f7d
--- /dev/null
+++ b/security/ssh/patches/patch-ai
@@ -0,0 +1,40 @@
+*** userfile.c.orig Thu Mar 27 09:04:13 1997
+--- userfile.c Sat Mar 29 01:16:51 1997
+***************
+*** 166,171 ****
+--- 166,175 ----
+ #endif
+
+
++ #ifdef HAVE_LOGIN_CAP_H
++ #include <login_cap.h>
++ #endif
++
+ /* Protocol message types. */
+ #define USERFILE_OPEN 1
+ #define USERFILE_OPEN_REPLY 2
+***************
+*** 626,631 ****
+--- 630,641 ----
+ /* Child. We will start serving request. */
+ if (uid != geteuid() || uid != getuid())
+ {
++ #ifdef HAVE_LOGIN_CAP_H
++ struct passwd * pw = getpwuid(uid);
++ login_cap_t * lc = login_getuserclass(pw);
++ if (setusercontext(lc, pw, uid, LOGIN_SETALL&~(LOGIN_SETLOGIN|LOGIN_SETPATH|LOGIN_SETENV)) < 0)
++ fatal("setusercontext: %s", strerror(errno));
++ #else
+ if (setgid(gid) < 0)
+ fatal("setgid: %s", strerror(errno));
+
+***************
+*** 636,641 ****
+--- 646,652 ----
+
+ if (setuid(uid) < 0)
+ fatal("setuid: %s", strerror(errno));
++ #endif /* HAVE_LOGIN_CAP_H */
+ }
+
+ /* Enter the server main loop. */
diff --git a/security/ssh/patches/patch-aj b/security/ssh/patches/patch-aj
new file mode 100644
index 00000000000..60f7495697f
--- /dev/null
+++ b/security/ssh/patches/patch-aj
@@ -0,0 +1,40 @@
+*** configure.in.orig Wed Apr 23 08:40:06 1997
+--- configure.in Fri Apr 25 12:41:26 1997
+***************
+*** 616,624 ****
+
+ export CFLAGS CC
+
+! # Socket pairs appear to be broken on several systems. I don't know exactly
+! # where, so I'll use pipes everywhere for now.
+! AC_DEFINE(USE_PIPES)
+
+ AC_MSG_CHECKING([that the compiler works])
+ AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
+--- 616,624 ----
+
+ export CFLAGS CC
+
+! dnl # Socket pairs appear to be broken on several systems. I don't know exactly
+! dnl # where, so I'll use pipes everywhere for now.
+! dnl AC_DEFINE(USE_PIPES)
+
+ AC_MSG_CHECKING([that the compiler works])
+ AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
+***************
+*** 671,677 ****
+
+ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h)
+ AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
+ AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
+ AC_HEADER_TIME
+--- 671,677 ----
+
+ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h)
+ AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
+ AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
+ AC_HEADER_TIME
diff --git a/security/ssh/patches/patch-al b/security/ssh/patches/patch-al
new file mode 100644
index 00000000000..1da799c26ac
--- /dev/null
+++ b/security/ssh/patches/patch-al
@@ -0,0 +1,27 @@
+*** sshconnect.c.orig Wed Apr 23 08:40:11 1997
+--- sshconnect.c Fri Apr 25 12:41:59 1997
+***************
+*** 311,316 ****
+--- 311,322 ----
+ {
+ struct sockaddr_in sin;
+ int p;
++ #if defined(__FreeBSD__) && !defined(SOCKS)
++ p = 1023; /* Compat with old FreeBSD */
++ sock = rresvport(&p);
++ if (sock < 0)
++ fatal("rresvport: %.100s", strerror(errno));
++ #else
+ for (p = 1023; p > 512; p--)
+ {
+ sock = socket(AF_INET, SOCK_STREAM, 0);
+***************
+*** 338,343 ****
+--- 344,350 ----
+ }
+ fatal("bind: %.100s", strerror(errno));
+ }
++ #endif
+ debug("Allocated local port %d.", p);
+ }
+ else
diff --git a/security/ssh/patches/patch-ao b/security/ssh/patches/patch-ao
new file mode 100644
index 00000000000..5072ce4d394
--- /dev/null
+++ b/security/ssh/patches/patch-ao
@@ -0,0 +1,13 @@
+--- newchannels.c.orig Tue Apr 22 17:40:11 1997
++++ newchannels.c Sat Jul 19 11:42:06 1997
+@@ -2139,6 +2139,10 @@
+ ssh-agent connections on your system */
+ old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+
++ /* Make sure the socket doesn't already exist, left over from a system
++ crash perhaps. */
++ unlink(channel_forwarded_auth_socket_name);
++
+ if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
+ packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));
+
diff --git a/security/ssh/pkg/COMMENT b/security/ssh/pkg/COMMENT
new file mode 100644
index 00000000000..45e42fd3dd6
--- /dev/null
+++ b/security/ssh/pkg/COMMENT
@@ -0,0 +1 @@
+Secure shell client and server (remote login program).
diff --git a/security/ssh/pkg/DESCR b/security/ssh/pkg/DESCR
new file mode 100644
index 00000000000..307b86088bc
--- /dev/null
+++ b/security/ssh/pkg/DESCR
@@ -0,0 +1,99 @@
+Secure Shell is a program to log into another computer over a network,
+to execute commands in a remote machine, and to move files from one
+machine to another. It provides strong authentication and secure
+communications over insecure channels. It is inteded as a replacement
+for rlogin, rsh, and rcp.
+
+FEATURES
+
+ o Complete replacement for rlogin, rsh, and rcp.
+
+ o Strong authentication. Closes several security holes (e.g., IP,
+ routing, and DNS spoofing). New authentication methods: .rhosts
+ together with RSA based host authentication, and pure RSA
+ authentication.
+
+ o Improved privacy. All communications are automatically and
+ transparently encrypted. RSA is used for key exchange, and a
+ conventional cipher (normally IDEA, DES, or triple-DES) for
+ encrypting the session. Encryption is started before
+ authentication, and no passwords or other information is
+ transmitted in the clear. Encryption is also used to protect
+ against spoofed packets.
+
+ o Secure X11 sessions. The program automatically sets DISPLAY on
+ the server machine, and forwards any X11 connections over the
+ secure channel. Fake Xauthority information is automatically
+ generated and forwarded to the remote machine; the local client
+ automatically examines incoming X11 connections and replaces the
+ fake authorization data with the real data (never telling the
+ remote machine the real information).
+
+ o Arbitrary TCP/IP ports can be redirected through the encrypted channel
+ in both directions (e.g., for e-cash transactions).
+
+ o No retraining needed for normal users; everything happens
+ automatically, and old .rhosts files will work with strong
+ authentication if administration installs host key files.
+
+ o Never trusts the network. Minimal trust on the remote side of
+ the connection. Minimal trust on domain name servers. Pure RSA
+ authentication never trusts anything but the private key.
+
+ o Client RSA-authenticates the server machine in the beginning of
+ every connection to prevent trojan horses (by routing or DNS
+ spoofing) and man-in-the-middle attacks, and the server
+ RSA-authenticates the client machine before accepting .rhosts or
+ /etc/hosts.equiv authentication (to prevent DNS, routing, or
+ IP-spoofing).
+
+ o Host authentication key distribution can be centrally by the
+ administration, automatically when the first connection is made
+ to a machine (the key obtained on the first connection will be
+ recorded and used for authentication in the future), or manually
+ by each user for his/her own use. The central and per-user host
+ key repositories are both used and complement each other. Host
+ keys can be generated centrally or automatically when the software
+ is installed. Host authentication keys are typically 1024 bits.
+
+ o Any user can create any number of user authentication RSA keys for
+ his/her own use. Each user has a file which lists the RSA public
+ keys for which proof of possession of the corresponding private
+ key is accepted as authentication. User authentication keys are
+ typically 1024 bits.
+
+ o The server program has its own server RSA key which is
+ automatically regenerated every hour. This key is never saved in
+ any file. Exchanged session keys are encrypted using both the
+ server key and the server host key. The purpose of the separate
+ server key is to make it impossible to decipher a captured session by
+ breaking into the server machine at a later time; one hour from
+ the connection even the server machine cannot decipher the session
+ key. The key regeneration interval is configurable. The server
+ key is normally 768 bits.
+
+ o An authentication agent, running in the user's laptop or local
+ workstation, can be used to hold the user's RSA authentication
+ keys. Ssh automatically forwards the connection to the
+ authentication agent over any connections, and there is no need to
+ store the RSA authentication keys on any machine in the network
+ (except the user's own local machine). The authentication
+ protocols never reveal the keys; they can only be used to verify
+ that the user's agent has a certain key. Eventually the agent
+ could rely on a smart card to perform all authentication
+ computations.
+
+ o The software can be installed and used (with restricted
+ functionality) even without root privileges.
+
+ o The client is customizable in system-wide and per-user
+ configuration files. Most aspects of the client's operation can
+ be configured. Different options can be specified on a per-host basis.
+
+ o Automatically executes conventional rsh (after displaying a
+ warning) if the server machine is not running sshd.
+
+ o Optional compression of all data with gzip (including forwarded X11
+ and TCP/IP port data), which may result in significant speedups on
+ slow connections.
+
diff --git a/security/ssh/pkg/PLIST b/security/ssh/pkg/PLIST
new file mode 100644
index 00000000000..ac70652f7a4
--- /dev/null
+++ b/security/ssh/pkg/PLIST
@@ -0,0 +1,27 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 1997/12/14 16:17:14 hubertf Exp $
+@comment XXX etc/rc.d/sshd.sh - not yet - hubertf
+bin/scp
+bin/ssh
+@exec ln -fs %f %B/slogin
+@unexec rm -f %B/slogin
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-askpass
+bin/ssh-keygen
+bin/make-ssh-known-hosts
+man/man1/make-ssh-known-hosts.1.gz
+man/man1/scp.1.gz
+man/man1/ssh-add.1.gz
+man/man1/ssh-agent.1.gz
+man/man1/ssh-keygen.1.gz
+man/man1/ssh.1.gz
+man/man1/slogin.1.gz
+man/man8/sshd.8.gz
+sbin/sshd
+etc/ssh_config
+etc/sshd_config
+@exec ln -s /etc/ssh_host_key %B
+@unexec rm -f %B/ssh_host_key
+@exec ln -s /etc/ssh_host_key.pub %B
+@unexec rm -f %B/ssh_host_key.pub
+@exec if [ ! -f %D/etc/ssh_host_key ]; then echo "Generating a secret host key.." ; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi