Resurrect openssh+gssapi per request of jwise@.

16 files changed, 568 insertions, 0 deletions

diff --git a/security/openssh+gssapi/DESCR b/security/openssh+gssapi/DESCR
new file mode 100644
index 00000000000..784da25242d
--- /dev/null
+++ b/security/openssh+gssapi/DESCR
@@ -0,0 +1,8 @@
+OpenSSH is based on the last free version of Tatu Ylonen's SSH with
+all patent-encumbered algorithms removed (to external libraries), all
+known security bugs fixed, new features reintroduced and many other
+clean-ups. More information about SSH itself can be found in the file
+README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
+Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
+
+This package adds enhanced support for GSSAPI, provided by sxw.org.uk.
diff --git a/security/openssh+gssapi/INSTALL b/security/openssh+gssapi/INSTALL
new file mode 100644
index 00000000000..e0a3e44fb0e
--- /dev/null
+++ b/security/openssh+gssapi/INSTALL
@@ -0,0 +1,36 @@
+# $NetBSD: INSTALL,v 1.4 2004/06/15 18:44:57 kristerw Exp $
+
+DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
+FILES="sshd.conf sshd_config"
+
+case ${STAGE} in
+POST-INSTALL)
+	for dir in $DIRS; do
+		if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
+			for file in $FILES; do
+				path=$dir/$file
+				if [ -f $path ]; then
+					${CAT} <<EOF
+===========================================================================
+
+                           *===* NOTICE *===*
+
+WARNING: previous configuration file $path found.
+
+The config files for ${PKGNAME} must be located in:
+
+	@PKG_SYSCONFDIR@
+
+You will need to ensure your configuration files and/or keys are
+placed in the correct directory before using ${PKGNAME}.
+
+===========================================================================
+EOF
+
+					exit
+				fi
+			done
+		fi
+	done
+	;;
+esac
diff --git a/security/openssh+gssapi/MESSAGE b/security/openssh+gssapi/MESSAGE
new file mode 100644
index 00000000000..a3873a4add6
--- /dev/null
+++ b/security/openssh+gssapi/MESSAGE
@@ -0,0 +1,17 @@
+===========================================================================
+$NetBSD: MESSAGE,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+
+                           *===* NOTICE *===*
+
+If you have existing config files for OpenSSH located at /etc/ssh.conf
+and /etc/sshd.conf, then you will have to copy them:
+
+	/etc/ssh.conf  --> ${PKG_SYSCONFDIR}/ssh_config
+	/etc/sshd.conf --> ${PKG_SYSCONFDIR}/sshd_config
+
+The `${OPENSSH_USER}' user and `${OPENSSH_GROUP}' group used for
+privilege separation have been created if they did not already exist.
+For security reasons, UsePrivilegeSeparation has to be yes
+(the default value).
+
+===========================================================================
diff --git a/security/openssh+gssapi/MESSAGE.pam b/security/openssh+gssapi/MESSAGE.pam
new file mode 100644
index 00000000000..df4c02dee8d
--- /dev/null
+++ b/security/openssh+gssapi/MESSAGE.pam
@@ -0,0 +1,9 @@
+===========================================================================
+$NetBSD: MESSAGE.pam,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+
+To authenticate for SSH using PAM, add the contents of the file:
+
+	${EGDIR}/sshd.pam
+
+to your PAM configuration file.
+===========================================================================
diff --git a/security/openssh+gssapi/MESSAGE.urandom b/security/openssh+gssapi/MESSAGE.urandom
new file mode 100644
index 00000000000..5f92af1a28d
--- /dev/null
+++ b/security/openssh+gssapi/MESSAGE.urandom
@@ -0,0 +1,8 @@
+===========================================================================
+$NetBSD: MESSAGE.urandom,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+
+You will need a working /dev/urandom.  Please make sure you have a kernel
+compiled from a config file containing the line:
+
+	pseudo-device	rnd
+===========================================================================
diff --git a/security/openssh+gssapi/Makefile b/security/openssh+gssapi/Makefile
new file mode 100644
index 00000000000..79957085900
--- /dev/null
+++ b/security/openssh+gssapi/Makefile
@@ -0,0 +1,162 @@
+# $NetBSD: Makefile,v 1.16 2004/06/15 18:44:57 kristerw Exp $
+
+# NOTE:  This package is modeled on ../openssh, but does not share
+# files with it as that package may update faster than the gssapi
+# patches do.
+
+DISTNAME=		openssh-3.6.1p2
+PKGNAME=		openssh+gssapi-3.6.1.2.20030430
+PKGREVISION=		3
+SVR4_PKGNAME=		osshgss
+CATEGORIES=		security
+MASTER_SITES=		ftp://ftp7.usa.openbsd.org/pub/os/OpenBSD/OpenSSH/portable/ \
+			ftp://ftp.stealth.net/pub/mirrors/ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
+			http://public.planetmirror.com.au/pub/OpenBSD/OpenSSH/portable/ \
+			ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
+			ftp://gd.tuwien.ac.at/opsys/OpenBSD/OpenSSH/portable/ \
+			ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/
+PATCH_SITES=    	http://www.sxw.org.uk/computing/patches/
+PATCHFILES=     	openssh-3.6.1p2-gssapi-20030430.diff
+PATCH_DIST_STRIP=	-p1
+
+# Don't delete the last entry -- it's there if the pkgsrc version is not
+# up-to-date and the mirrors already removed the old distfile.
+
+MAINTAINER=		jwise@NetBSD.org
+HOMEPAGE=		http://www.openssh.com/
+COMMENT=		Open Source Secure shell client and server with enhanced GSSAPI support
+
+CONFLICTS=		sftp-[0-9]*
+CONFLICTS+=		ssh-[0-9]* ssh6-[0-9]* ssh2-[0-9]*
+CONFLICTS+=		openssh-[0-9]*
+
+USE_PERL5=		build
+
+CRYPTO=			yes
+KERBEROS=		yes
+
+# retain the following line, for IPv6-ready pkgsrc webpage
+BUILD_DEFS+=		USE_INET6
+#BUILD_DEFS+=		KERBEROS
+
+.include "../../mk/bsd.prefs.mk"
+
+INSTALL_TARGET=		install-nokeys
+PLIST_SRC=		# empty
+MESSAGE_SRC=		${.CURDIR}/MESSAGE
+
+PKG_USERS=		${OPENSSH_USER}:${OPENSSH_GROUP}:${OPENSSH_UID}:sshd\\ privsep:${OPENSSH_CHROOT}:${NOLOGIN}
+PKG_GROUPS=             ${OPENSSH_GROUP}:${OPENSSH_GID}
+
+SSH_PID_DIR=		/var/run	# default directory for PID files
+
+PKG_SYSCONFSUBDIR=	ssh
+MANDIR=			man
+
+PLIST_SUBST+=		MANDIR=${MANDIR}
+
+USE_BUILDLINK3=		yes
+USE_PKGINSTALL=		yes
+GNU_CONFIGURE=		yes
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+=	--mandir=${PREFIX}/${MANDIR}
+CONFIGURE_ARGS+=	--with-pid-dir=${SSH_PID_DIR}
+CONFIGURE_ARGS+=	--with-ssl-dir=${SSLBASE}
+CONFIGURE_ARGS+=	--with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
+CONFIGURE_ARGS+=	--with-privsep-path=${OPENSSH_CHROOT}
+CONFIGURE_ARGS+=	--with-privsep-user=${OPENSSH_USER}
+CONFIGURE_ARGS+=	--with-kerberos5=/usr
+CONFIGURE_ARGS+=	--with-kerberos4=/usr
+
+CPPFLAGS+=		-I/usr/include/krb5 -I/usr/include/kerberosIV
+
+# XXX: PAM authentication causes memory faults, and I haven't tracked down
+# XXX: why yet.  For the moment, disable PAM authentication.
+#
+#.if defined(USE_PAM)
+#.include "../../security/PAM/buildlink3.mk"
+#CONFIGURE_ARGS+=	--with-pam
+#PLIST_SRC+=		${.CURDIR}/PLIST.pam
+#MESSAGE_SRC+=		${.CURDIR}/MESSAGE.pam
+#.endif
+
+.if (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
+.  include "../../security/skey/buildlink3.mk"
+CONFIGURE_ARGS+=	--with-skey=${BUILDLINK_PREFIX.skey}
+.elif ${OPSYS} == "NetBSD"
+# XXX: NetBSD has 4 args (4: sslen) to skeychallenge instead of 3
+#CONFIGURE_ARGS+=	--with-skey=/usr
+CONFIGURE_ARGS+=	--without-skey
+.else
+CONFIGURE_ARGS+=	--without-skey
+.endif
+
+.if defined(KERBEROS)
+PKG_USE_KERBEROS=		yes
+CONFIGURE_ARGS+=	--with-kerberos4=/usr
+LDFLAGS+=		-lkrb -lcom_err -lroken -ldes -lcrypto
+.endif
+
+CONFIGURE_ENV+=		LD=${CC:Q}
+
+# The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending
+# on if it's part of the X11 distribution, or if it's installed from pkgsrc
+# (security/ssh-askpass).
+#
+.if exists(${X11BASE}/bin/ssh-askpass)
+ASKPASS_PROGRAM=	${X11BASE}/bin/ssh-askpass
+.else
+ASKPASS_PROGRAM=	${X11PREFIX}/bin/ssh-askpass
+.endif
+CONFIGURE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM}
+MAKE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM}
+
+CONFS=			ssh_config sshd_config
+SUPPS=			moduli
+
+.if exists(/dev/urandom)
+MESSAGE_SRC+=		${.CURDIR}/MESSAGE.urandom
+.else
+CONFIGURE_ARGS+=	--without-random
+CONFS+=			ssh_prng_cmds
+PLIST_SRC+=		${.CURDIR}/PLIST.prng
+.endif
+
+EGDIR=			${PREFIX}/share/examples/openssh
+CONF_FILES=		# empty
+.for FILE in ${CONFS}
+CONF_FILES+=		${EGDIR}/${FILE} ${PKG_SYSCONFDIR}/${FILE}
+.endfor
+SUPPORT_FILES=		# empty
+.for FILE in ${SUPPS}
+SUPPORT_FILES+=		${EGDIR}/${FILE} ${PKG_SYSCONFDIR}/${FILE}
+.endfor
+OWN_DIRS=		${OPENSSH_CHROOT}
+RCD_SCRIPTS=		sshd
+
+PLIST_SRC+=		${.CURDIR}/PLIST
+FILES_SUBST+=		SSH_PID_DIR=${SSH_PID_DIR}
+MESSAGE_SUBST+=		EGDIR=${EGDIR}
+MESSAGE_SUBST+=		OPENSSH_USER=${OPENSSH_USER}
+MESSAGE_SUBST+=		OPENSSH_GROUP=${OPENSSH_GROUP}
+
+INSTALL_EXTRA_TMPL+=	${.CURDIR}/INSTALL
+
+pre-configure:
+	cd ${WRKSRC} && ${AUTORECONF}
+
+post-install:
+	${INSTALL_DATA_DIR} ${EGDIR}
+	cd ${WRKSRC}; for file in ${CONFS} ${SUPPS}; do			\
+		${INSTALL_DATA} $${file}.out ${EGDIR}/$${file};		\
+	done
+#.if defined(USE_PAM)
+#	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.freebsd ${EGDIR}/sshd.pam
+#.endif
+
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
+.include "../../security/tcp_wrappers/buildlink3.mk"
+.include "../../mk/autoconf.mk"
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/security/openssh+gssapi/PLIST b/security/openssh+gssapi/PLIST
new file mode 100644
index 00000000000..df9532567df
--- /dev/null
+++ b/security/openssh+gssapi/PLIST
@@ -0,0 +1,29 @@
+@comment $NetBSD: PLIST,v 1.4 2004/06/15 18:44:57 kristerw Exp $
+bin/scp
+bin/sftp
+bin/slogin
+bin/ssh
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-keygen
+bin/ssh-keyscan
+libexec/sftp-server
+libexec/ssh-keysign
+${MANDIR}/man1/scp.1
+${MANDIR}/man1/sftp.1
+${MANDIR}/man1/slogin.1
+${MANDIR}/man1/ssh-add.1
+${MANDIR}/man1/ssh-agent.1
+${MANDIR}/man1/ssh-keygen.1
+${MANDIR}/man1/ssh-keyscan.1
+${MANDIR}/man1/ssh.1
+${MANDIR}/man5/ssh_config.5
+${MANDIR}/man5/sshd_config.5
+${MANDIR}/man8/sftp-server.8
+${MANDIR}/man8/ssh-keysign.8
+${MANDIR}/man8/sshd.8
+sbin/sshd
+share/examples/openssh/moduli
+share/examples/openssh/ssh_config
+share/examples/openssh/sshd_config
+@dirrm share/examples/openssh
diff --git a/security/openssh+gssapi/PLIST.pam b/security/openssh+gssapi/PLIST.pam
new file mode 100644
index 00000000000..1a5bc7cc5ba
--- /dev/null
+++ b/security/openssh+gssapi/PLIST.pam
@@ -0,0 +1,2 @@
+@comment $NetBSD: PLIST.pam,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+share/examples/openssh/sshd.pam
diff --git a/security/openssh+gssapi/PLIST.prng b/security/openssh+gssapi/PLIST.prng
new file mode 100644
index 00000000000..e0f33eb6481
--- /dev/null
+++ b/security/openssh+gssapi/PLIST.prng
@@ -0,0 +1,3 @@
+@comment $NetBSD: PLIST.prng,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+libexec/ssh-rand-helper
+share/examples/openssh/ssh_prng_cmds
diff --git a/security/openssh+gssapi/distinfo b/security/openssh+gssapi/distinfo
new file mode 100644
index 00000000000..48f865e6a3b
--- /dev/null
+++ b/security/openssh+gssapi/distinfo
@@ -0,0 +1,11 @@
+$NetBSD: distinfo,v 1.5 2004/06/15 18:44:57 kristerw Exp $
+
+SHA1 (openssh-3.6.1p2.tar.gz) = dafe5b6ee2c8ced12c2ee8961530b4e51c2f0bcf
+Size (openssh-3.6.1p2.tar.gz) = 879629 bytes
+SHA1 (openssh-3.6.1p2-gssapi-20030430.diff) = a938638ad7d861e4f55ef5f8410acfdaac8a9e57
+Size (openssh-3.6.1p2-gssapi-20030430.diff) = 121077 bytes
+SHA1 (patch-aa) = 20abe6938aba07ab7b6c7eab5d24a303f0cd2298
+SHA1 (patch-ab) = 1069fe256b7925fcf404781ef14e5c492f52c21e
+SHA1 (patch-ah) = 9913c868bde5d318915b1dee2c05dcf454a0f506
+SHA1 (patch-ai) = a564c1c9df9704fa8ed20bd31a5eb36450c72f2b
+SHA1 (patch-aj) = a83eed6c0a5703a2953682b4627be38a87bfb65f
diff --git a/security/openssh+gssapi/files/sshd.sh b/security/openssh+gssapi/files/sshd.sh
new file mode 100644
index 00000000000..64490d99407
--- /dev/null
+++ b/security/openssh+gssapi/files/sshd.sh
@@ -0,0 +1,105 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: sshd.sh,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+#
+# PROVIDE: sshd
+# REQUIRE: DAEMON LOGIN
+
+if [ -f /etc/rc.subr ]
+then
+	. /etc/rc.subr
+fi
+
+name="sshd"
+rcvar=$name
+command="@PREFIX@/sbin/${name}"
+keygen_command="@PREFIX@/bin/ssh-keygen"
+pidfile="@SSH_PID_DIR@/${name}.pid"
+required_files="@PKG_SYSCONFDIR@/sshd_config"
+extra_commands="keygen reload"
+
+sshd_keygen()
+{
+	(
+	umask 022
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_key ]; then
+		@ECHO@ "You already have an RSA host key in @PKG_SYSCONFDIR@/ssh_host_key"
+		@ECHO@ "Skipping protocol version 1 RSA Key Generation"
+	else
+		${keygen_command} -t rsa1 -b 1024 -f @PKG_SYSCONFDIR@/ssh_host_key -N ''
+	fi
+
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
+		@ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
+		@ECHO@ "Skipping protocol version 2 DSA Key Generation"
+	else
+		${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
+	fi
+
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
+		@ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
+		@ECHO@ "Skipping protocol version 2 RSA Key Generation"
+	else
+		${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
+	fi
+	)
+}
+
+sshd_precmd()
+{
+	if [ ! -f @PKG_SYSCONFDIR@/ssh_host_key -o \
+	     ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
+	     ! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
+		if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+		then
+			run_rc_command keygen
+		else
+			eval ${keygen_cmd}
+		fi
+	fi
+}
+
+keygen_cmd=sshd_keygen
+start_precmd=sshd_precmd
+
+if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+then
+	load_rc_config $name
+	run_rc_command "$1"
+else
+	case ${1:-start} in
+	start)
+		if [ -x ${command} -a -f ${required_files} ]
+		then
+			@ECHO@ "Starting ${name}."
+			eval ${start_precmd}
+			eval ${command} ${sshd_flags} ${command_args}
+		fi
+		;;
+	stop)
+		if [ -f ${pidfile} ]; then
+			pid=`@HEAD@ -1 ${pidfile}`
+			@ECHO@ "Stopping ${name}."
+			kill -TERM ${pid}
+		else
+			@ECHO@ "${name} not running?"
+		fi
+		;;
+	restart)
+		( $0 stop )
+		sleep 1
+		$0 start
+		;;
+	status)
+		if [ -f ${pidfile} ]; then
+			pid=`@HEAD@ -1 ${pidfile}`
+			@ECHO@ "${name} is running as pid ${pid}."
+		else
+			@ECHO@ "${name} is not running."
+		fi
+		;;
+	keygen)
+		eval ${keygen_cmd}
+		;;
+	esac
+fi
diff --git a/security/openssh+gssapi/patches/patch-aa b/security/openssh+gssapi/patches/patch-aa
new file mode 100644
index 00000000000..08ea9913140
--- /dev/null
+++ b/security/openssh+gssapi/patches/patch-aa
@@ -0,0 +1,34 @@
+$NetBSD: patch-aa,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+
+--- configure.orig	Tue Apr 29 02:37:28 2003
++++ configure	Tue Jun 10 13:38:01 2003
+@@ -4939,6 +4939,9 @@
+ 	;;
+ esac
+ 
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ 
+ # Check whether --with-cflags or --without-cflags was given.
+@@ -7030,6 +7033,10 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+ 
++#ifdef HAVE_SYS_CDEFS_H
++#include <sys/cdefs.h>
++#endif
++#include <stdio.h>
+ #include <tcpd.h>
+ 					int deny_severity = 0, allow_severity = 0;
+ 
+@@ -19123,7 +19130,7 @@
+ echo "                     User binaries: $B"
+ echo "                   System binaries: $C"
+ echo "               Configuration files: $D"
+-echo "                   Askpass program: $E"
++echo "                   Askpass program: ${ASKPASS_PROGRAM}"
+ echo "                      Manual pages: $F"
+ echo "                          PID file: $G"
+ echo "  Privilege separation chroot path: $H"
diff --git a/security/openssh+gssapi/patches/patch-ab b/security/openssh+gssapi/patches/patch-ab
new file mode 100644
index 00000000000..f14b7d72251
--- /dev/null
+++ b/security/openssh+gssapi/patches/patch-ab
@@ -0,0 +1,34 @@
+$NetBSD: patch-ab,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+
+--- configure.ac.orig	Thu Sep 26 00:38:47 2002
++++ configure.ac
+@@ -341,6 +341,9 @@ mips-sony-bsd|mips-sony-newsos4)
+ 	;;
+ esac
+ 
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ AC_ARG_WITH(cflags,
+ 	[  --with-cflags           Specify additional flags to pass to compiler],
+@@ -575,6 +578,10 @@ AC_ARG_WITH(tcp-wrappers,
+ 			AC_MSG_CHECKING(for libwrap)
+ 			AC_TRY_LINK(
+ 				[
++#ifdef HAVE_SYS_CDEFS_H
++#include <sys/cdefs.h>
++#endif
++#include <stdio.h>
+ #include <tcpd.h>
+ 					int deny_severity = 0, allow_severity = 0;
+ 				],
+@@ -2449,7 +2456,7 @@ echo "OpenSSH has been configured with t
+ echo "                     User binaries: $B"
+ echo "                   System binaries: $C"
+ echo "               Configuration files: $D"
+-echo "                   Askpass program: $E"
++echo "                   Askpass program: ${ASKPASS_PROGRAM}"
+ echo "                      Manual pages: $F"
+ echo "                          PID file: $G"
+ echo "  Privilege separation chroot path: $H"
diff --git a/security/openssh+gssapi/patches/patch-ah b/security/openssh+gssapi/patches/patch-ah
new file mode 100644
index 00000000000..9e30e08d778
--- /dev/null
+++ b/security/openssh+gssapi/patches/patch-ah
@@ -0,0 +1,22 @@
+$NetBSD: patch-ah,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+
+--- Makefile.in.orig	Fri Jun 21 10:38:53 2002
++++ Makefile.in	Tue Jun 25 10:50:44 2002
+@@ -21,7 +21,7 @@
+ DESTDIR=
+ VPATH=@srcdir@
+ SSH_PROGRAM=@bindir@/ssh
+-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
++#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ RAND_HELPER=$(libexecdir)/ssh-rand-helper
+@@ -203,7 +203,7 @@
+ scard-install:
+ 	(cd scard && $(MAKE) DESTDIR=$(DESTDIR) install)
+ 
+-install-files: scard-install
++install-files:
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
diff --git a/security/openssh+gssapi/patches/patch-ai b/security/openssh+gssapi/patches/patch-ai
new file mode 100644
index 00000000000..34f38120460
--- /dev/null
+++ b/security/openssh+gssapi/patches/patch-ai
@@ -0,0 +1,62 @@
+$NetBSD: patch-ai,v 1.4 2004/06/15 18:44:57 kristerw Exp $
+Index: buffer.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.16
+retrieving revision 1.18
+diff -u -r1.16 -r1.18
+--- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
++++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
+@@ -23,8 +23,11 @@
+ void
+ buffer_init(Buffer *buffer)
+ {
+-	buffer->alloc = 4096;
+-	buffer->buf = xmalloc(buffer->alloc);
++	const u_int len = 4096;
++
++	buffer->alloc = 0;
++	buffer->buf = xmalloc(len);
++	buffer->alloc = len;
+ 	buffer->offset = 0;
+ 	buffer->end = 0;
+ }
+@@ -34,8 +37,10 @@
+ void
+ buffer_free(Buffer *buffer)
+ {
+-	memset(buffer->buf, 0, buffer->alloc);
+-	xfree(buffer->buf);
++	if (buffer->alloc > 0) {
++		memset(buffer->buf, 0, buffer->alloc);
++		xfree(buffer->buf);
++	}
+ }
+ 
+ /*
+@@ -69,6 +74,7 @@
+ void *
+ buffer_append_space(Buffer *buffer, u_int len)
+ {
++	u_int newlen;
+ 	void *p;
+ 
+ 	if (len > 0x100000)
+@@ -98,11 +104,13 @@
+ 		goto restart;
+ 	}
+ 	/* Increase the size of the buffer and retry. */
+-	buffer->alloc += len + 32768;
+-	if (buffer->alloc > 0xa00000)
++	
++	newlen = buffer->alloc + len + 32768;
++	if (newlen > 0xa00000)
+ 		fatal("buffer_append_space: alloc %u not supported",
+-		    buffer->alloc);
+-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
++		    newlen);
++	buffer->buf = xrealloc(buffer->buf, newlen);
++	buffer->alloc = newlen;
+ 	goto restart;
+ 	/* NOTREACHED */
+ }
diff --git a/security/openssh+gssapi/patches/patch-aj b/security/openssh+gssapi/patches/patch-aj
new file mode 100644
index 00000000000..2df3b480871
--- /dev/null
+++ b/security/openssh+gssapi/patches/patch-aj
@@ -0,0 +1,26 @@
+$NetBSD: patch-aj,v 1.3 2004/06/15 18:44:57 kristerw Exp $
+Index: channels.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/channels.c,v
+retrieving revision 1.194
+retrieving revision 1.195
+diff -u -r1.194 -r1.195
+--- channels.c	29 Aug 2003 10:04:36 -0000	1.194
++++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
+@@ -228,12 +228,13 @@
+ 	if (found == -1) {
+ 		/* There are no free slots.  Take last+1 slot and expand the array.  */
+ 		found = channels_alloc;
+-		channels_alloc += 10;
+ 		if (channels_alloc > 10000)
+ 			fatal("channel_new: internal error: channels_alloc %d "
+ 			    "too big.", channels_alloc);
++		channels = xrealloc(channels,
++		    (channels_alloc + 10) * sizeof(Channel *));
++		channels_alloc += 10;
+ 		debug2("channel: expanding %d", channels_alloc);
+-		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
+ 		for (i = found; i < channels_alloc; i++)
+ 			channels[i] = NULL;
+ 	}
+