PSARC 2012/335 OpenSSH migration
authorHuie-Ying Lee <huieying.lee@oracle.com>
Fri, 20 Dec 2013 12:17:34 -0800
changeset 1612 3f2ec017627f
parent 1611 6b7edd68c53f
child 1613 07ad28ea2398
PSARC 2012/335 OpenSSH migration PSARC 2013/115 Shared configuration for SunSSH & OpenSSH 15769261 SUNBT7135649 Deliver OpenSSH 6.0P1 in the userland gate (OpenSSH migration phase 2) 16306216 problem in UTILITY/OPENSSH
components/openssh/Makefile
components/openssh/openssh.license
components/openssh/openssh.p5m
components/openssh/patches/001-skip_config_check.patch
components/openssh/patches/002-pam_support.patch
components/openssh/patches/003-last_login.patch
components/openssh/patches/004-broken_bsm_api.patch
components/openssh/patches/005-openssh_krb5_build_fix.patch
components/openssh/patches/006-umac_align_fix.patch
components/openssh/patches/007-manpages.patch
components/openssh/patches/008-deprecate_sunssh_opt.patch
components/openssh/patches/009-CVE-2010-5107.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/Makefile	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,75 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+#
+include ../../make-rules/shared-macros.mk
+
+COMPONENT_NAME=		openssh
+COMPONENT_VERSION=	6.0
+COMPONENT_PORTABLE_VERSION = $(COMPONENT_VERSION)p1
+COMPONENT_PROJECT_URL=  http://www.openssh.org/
+COMPONENT_SRC=          $(COMPONENT_NAME)-$(COMPONENT_PORTABLE_VERSION)
+COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
+COMPONENT_ARCHIVE_HASH=	sha256:589d48e952d6c017e667873486b5df63222f9133d417d0002bd6429d9bd882de
+COMPONENT_ARCHIVE_URL=	http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
+COMPONENT_BUGDB=utility/openssh
+
+include ../../make-rules/prep.mk
+include ../../make-rules/configure.mk
+include ../../make-rules/ips.mk
+
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
+CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS) -DSET_USE_PAM -DDEPRECATE_SUNSSH_OPT -DLASTLOG_FIX -DKRB5_BUILD_FIX -DAUE_openssh=6172"
+
+# We need to disable lazyloading of dynamic dependent libraries. During the
+# pre-authentication phase, sshd will chroot to /var/empty which doesn't
+# contain any files. If we use lazyloading, sshd will fail to find any
+# libraries that it needs.
+CONFIGURE_OPTIONS += LDFLAGS="$(LDFLAGS) -B direct -z nolazyload"
+
+CONFIGURE_OPTIONS += --with-audit=bsm
+CONFIGURE_OPTIONS += --with-libedit
+CONFIGURE_OPTIONS += --with-kerberos5
+CONFIGURE_OPTIONS += --with-pam
+CONFIGURE_OPTIONS += --with-sandbox=no
+CONFIGURE_OPTIONS += --with-solaris-contracts
+CONFIGURE_OPTIONS += --with-solaris-projects
+CONFIGURE_OPTIONS += --with-tcp-wrappers
+CONFIGURE_OPTIONS += --with-4in6
+CONFIGURE_OPTIONS += --enable-strip=no
+CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh
+CONFIGURE_OPTIONS += --sbindir=/usr/lib/ssh
+CONFIGURE_OPTIONS += --sysconfdir=/etc/ssh
+
+# common targets
+build:		$(BUILD_32)
+
+install:	$(INSTALL_32)
+
+# Because of certain set up requirement, the regress test suite is ported to
+# the STC gate.
+test:		$(NO_TESTS)
+
+BUILD_PKG_DEPENDENCIES =	$(BUILD_TOOLS)
+
+include ../../make-rules/depend.mk
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/openssh.license	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,340 @@
+This file is part of the OpenSSH software.
+
+The licences which components of this software fall under are as
+follows.  First, we will summarize and say that all components
+are under a BSD licence, or a licence more free than that.
+
+OpenSSH contains no GPL code.
+
+1)
+     * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
+     *                    All rights reserved
+     *
+     * As far as I am concerned, the code I have written for this software
+     * can be used freely for any purpose.  Any derived versions of this
+     * software must be clearly marked as such, and if the derived work is
+     * incompatible with the protocol description in the RFC file, it must be
+     * called by a name other than "ssh" or "Secure Shell".
+
+    [Tatu continues]
+     *  However, I am not implying to give any licenses to any patents or
+     * copyrights held by third parties, and the software includes parts that
+     * are not under my direct control.  As far as I know, all included
+     * source code is used in accordance with the relevant license agreements
+     * and can be used freely for any purpose (the GNU license being the most
+     * restrictive); see below for details.
+
+    [However, none of that term is relevant at this point in time.  All of
+    these restrictively licenced software components which he talks about
+    have been removed from OpenSSH, i.e.,
+
+     - RSA is no longer included, found in the OpenSSL library
+     - IDEA is no longer included, its use is deprecated
+     - DES is now external, in the OpenSSL library
+     - GMP is no longer used, and instead we call BN code from OpenSSL
+     - Zlib is now external, in a library
+     - The make-ssh-known-hosts script is no longer included
+     - TSS has been removed
+     - MD5 is now external, in the OpenSSL library
+     - RC4 support has been replaced with ARC4 support from OpenSSL
+     - Blowfish is now external, in the OpenSSL library
+
+    [The licence continues]
+
+    Note that any information and cryptographic algorithms used in this
+    software are publicly available on the Internet and at any major
+    bookstore, scientific library, and patent office worldwide.  More
+    information can be found e.g. at "http://www.cs.hut.fi/crypto".
+
+    The legal status of this program is some combination of all these
+    permissions and restrictions.  Use only at your own responsibility.
+    You will be responsible for any legal consequences yourself; I am not
+    making any claims whether possessing or using this is legal or not in
+    your country, and I am not taking any responsibility on your behalf.
+
+
+			    NO WARRANTY
+
+    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+    FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+    OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+    PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+    OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+    TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+    PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+    REPAIR OR CORRECTION.
+
+    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+    WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+    REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+    INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+    OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+    TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+    YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+    PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGES.
+
+2)
+    The 32-bit CRC compensation attack detector in deattack.c was
+    contributed by CORE SDI S.A. under a BSD-style license.
+
+     * Cryptographic attack detector for ssh - source code
+     *
+     * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
+     *
+     * All rights reserved. Redistribution and use in source and binary
+     * forms, with or without modification, are permitted provided that
+     * this copyright notice is retained.
+     *
+     * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+     * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
+     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
+     * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
+     * SOFTWARE.
+     *
+     * Ariel Futoransky <[email protected]>
+     * <http://www.core-sdi.com>
+
+3)
+    ssh-keyscan was contributed by David Mazieres under a BSD-style
+    license.
+
+     * Copyright 1995, 1996 by David Mazieres <[email protected]>.
+     *
+     * Modification and redistribution in source and binary forms is
+     * permitted provided that due credit is given to the author and the
+     * OpenBSD project by leaving this copyright notice intact.
+
+4)
+    The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
+    and Paulo Barreto is in the public domain and distributed
+    with the following license:
+
+     * @version 3.0 (December 2000)
+     *
+     * Optimised ANSI C code for the Rijndael cipher (now AES)
+     *
+     * @author Vincent Rijmen <[email protected]>
+     * @author Antoon Bosselaers <[email protected]>
+     * @author Paulo Barreto <[email protected]>
+     *
+     * This code is hereby placed in the public domain.
+     *
+     * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+     * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+     * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+     * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+     * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+     * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+     * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+     * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+     * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+     * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+5)
+    One component of the ssh source code is under a 3-clause BSD license,
+    held by the University of California, since we pulled these parts from
+    original Berkeley code.
+
+     * Copyright (c) 1983, 1990, 1992, 1993, 1995
+     *      The Regents of the University of California.  All rights reserved.
+     *
+     * Redistribution and use in source and binary forms, with or without
+     * modification, are permitted provided that the following conditions
+     * are met:
+     * 1. Redistributions of source code must retain the above copyright
+     *    notice, this list of conditions and the following disclaimer.
+     * 2. Redistributions in binary form must reproduce the above copyright
+     *    notice, this list of conditions and the following disclaimer in the
+     *    documentation and/or other materials provided with the distribution.
+     * 3. Neither the name of the University nor the names of its contributors
+     *    may be used to endorse or promote products derived from this software
+     *    without specific prior written permission.
+     *
+     * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+     * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+     * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+     * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+     * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+     * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+     * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+     * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+     * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+     * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+     * SUCH DAMAGE.
+
+6)
+    Remaining components of the software are provided under a standard
+    2-term BSD licence with the following names as copyright holders:
+
+	Markus Friedl
+	Theo de Raadt
+	Niels Provos
+	Dug Song
+	Aaron Campbell
+	Damien Miller
+	Kevin Steves
+	Daniel Kouril
+	Wesley Griffin
+	Per Allansson
+	Nils Nordman
+	Simon Wilkinson
+
+    Portable OpenSSH additionally includes code from the following copyright
+    holders, also under the 2-term BSD license:
+
+	Ben Lindstrom
+	Tim Rice
+	Andre Lucas
+	Chris Adams
+	Corinna Vinschen
+	Cray Inc.
+	Denis Parker
+	Gert Doering
+	Jakob Schlyter
+	Jason Downs
+	Juha Yrjölä
+	Michael Stone
+	Networks Associates Technology, Inc.
+	Solar Designer
+	Todd C. Miller
+	Wayne Schroeder
+	William Jones
+	Darren Tucker
+	Sun Microsystems
+	The SCO Group
+	Daniel Walsh
+	Red Hat, Inc
+	Simon Vallet / Genoscope
+
+     * Redistribution and use in source and binary forms, with or without
+     * modification, are permitted provided that the following conditions
+     * are met:
+     * 1. Redistributions of source code must retain the above copyright
+     *    notice, this list of conditions and the following disclaimer.
+     * 2. Redistributions in binary form must reproduce the above copyright
+     *    notice, this list of conditions and the following disclaimer in the
+     *    documentation and/or other materials provided with the distribution.
+     *
+     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+8) Portable OpenSSH contains the following additional licenses:
+
+    a) md5crypt.c, md5crypt.h
+
+	 * "THE BEER-WARE LICENSE" (Revision 42):
+	 * <[email protected]> wrote this file.  As long as you retain this
+	 * notice you can do whatever you want with this stuff. If we meet
+	 * some day, and you think this stuff is worth it, you can buy me a
+	 * beer in return.   Poul-Henning Kamp
+
+    b) snprintf replacement
+
+	* Copyright Patrick Powell 1995
+	* This code is based on code written by Patrick Powell
+	* ([email protected]) It may be used for any purpose as long as this
+	* notice remains intact on all source code distributions
+
+    c) Compatibility code (openbsd-compat)
+
+       Apart from the previously mentioned licenses, various pieces of code
+       in the openbsd-compat/ subdirectory are licensed as follows:
+
+       Some code is licensed under a 3-term BSD license, to the following
+       copyright holders:
+
+	Todd C. Miller
+	Theo de Raadt
+	Damien Miller
+	Eric P. Allman
+	The Regents of the University of California
+	Constantin S. Svintsoff
+
+	* Redistribution and use in source and binary forms, with or without
+	* modification, are permitted provided that the following conditions
+	* are met:
+	* 1. Redistributions of source code must retain the above copyright
+	*    notice, this list of conditions and the following disclaimer.
+	* 2. Redistributions in binary form must reproduce the above copyright
+	*    notice, this list of conditions and the following disclaimer in the
+	*    documentation and/or other materials provided with the distribution.
+	* 3. Neither the name of the University nor the names of its contributors
+	*    may be used to endorse or promote products derived from this software
+	*    without specific prior written permission.
+	*
+	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+	* ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+	* SUCH DAMAGE.
+
+       Some code is licensed under an ISC-style license, to the following
+       copyright holders:
+
+	Internet Software Consortium.
+	Todd C. Miller
+	Reyk Floeter
+	Chad Mynhier
+
+	* Permission to use, copy, modify, and distribute this software for any
+	* purpose with or without fee is hereby granted, provided that the above
+	* copyright notice and this permission notice appear in all copies.
+	*
+	* THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
+	* WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+	* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
+	* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+       Some code is licensed under a MIT-style license to the following
+       copyright holders:
+
+	Free Software Foundation, Inc.
+
+	* Permission is hereby granted, free of charge, to any person obtaining a  *
+	* copy of this software and associated documentation files (the            *
+	* "Software"), to deal in the Software without restriction, including      *
+	* without limitation the rights to use, copy, modify, merge, publish,      *
+	* distribute, distribute with modifications, sublicense, and/or sell       *
+	* copies of the Software, and to permit persons to whom the Software is    *
+	* furnished to do so, subject to the following conditions:                 *
+	*                                                                          *
+	* The above copyright notice and this permission notice shall be included  *
+	* in all copies or substantial portions of the Software.                   *
+	*                                                                          *
+	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  *
+	* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               *
+	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   *
+	* IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   *
+	* DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    *
+	* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    *
+	* THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               *
+	*                                                                          *
+	* Except as contained in this notice, the name(s) of the above copyright   *
+	* holders shall not be used in advertising or otherwise to promote the     *
+	* sale, use or other dealings in this Software without prior written       *
+	* authorization.                                                           *
+	****************************************************************************/
+
+
+------
+$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/openssh.p5m	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,124 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+#
+<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
+set name=pkg.fmri \
+    value=pkg:/network/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="OPENSSH 6.0"
+set name=info.classification value=org.opensolaris.category.2008:System/Security
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2012/335
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+link path=usr/bin/scp target=../lib/openssh/bin/scp mediator=ssh \
+    mediator-implementation=openssh
+link path=usr/bin/sftp target=../lib/openssh/bin/sftp mediator=ssh \
+    mediator-implementation=openssh
+link path=usr/bin/ssh target=../lib/openssh/bin/ssh mediator=ssh \
+    mediator-implementation=openssh
+link path=usr/bin/ssh-add target=../lib/openssh/bin/ssh-add mediator=ssh \
+    mediator-implementation=openssh
+link path=usr/bin/ssh-agent target=../lib/openssh/bin/ssh-agent mediator=ssh \
+    mediator-implementation=openssh
+link path=usr/bin/ssh-keygen target=../lib/openssh/bin/ssh-keygen mediator=ssh \
+    mediator-implementation=openssh
+link path=usr/bin/ssh-keyscan target=../lib/openssh/bin/ssh-keyscan \
+    mediator=ssh mediator-implementation=openssh
+file usr/bin/scp path=usr/lib/openssh/bin/scp mode=0555
+file usr/bin/sftp path=usr/lib/openssh/bin/sftp mode=0555
+file usr/bin/ssh path=usr/lib/openssh/bin/ssh mode=0555
+file usr/bin/ssh-add path=usr/lib/openssh/bin/ssh-add mode=0555
+file usr/bin/ssh-agent path=usr/lib/openssh/bin/ssh-agent mode=2555
+file usr/bin/ssh-keygen path=usr/lib/openssh/bin/ssh-keygen mode=0555
+file usr/bin/ssh-keyscan path=usr/lib/openssh/bin/ssh-keyscan mode=0555
+file usr/lib/ssh/sftp-server path=usr/lib/openssh/lib/sftp-server mode=0555
+file usr/lib/ssh/ssh-keysign path=usr/lib/openssh/lib/ssh-keysign mode=4555
+file usr/lib/ssh/ssh-pkcs11-helper path=usr/lib/openssh/lib/ssh-pkcs11-helper \
+    mode=0555
+file usr/lib/ssh/sshd path=usr/lib/openssh/lib/sshd mode=0555
+link path=usr/lib/ssh/sftp-server target=../openssh/lib/sftp-server \
+    mediator=ssh mediator-implementation=openssh
+link path=usr/lib/ssh/ssh-keysign target=../openssh/lib/ssh-keysign \
+    mediator=ssh mediator-implementation=openssh
+link path=usr/lib/ssh/ssh-pkcs11-helper \
+    target=../openssh/lib/ssh-pkcs11-helper mediator=ssh \
+    mediator-implementation=openssh
+link path=usr/lib/ssh/sshd target=../openssh/lib/sshd mediator=ssh \
+    mediator-implementation=openssh restart_fmri=svc:/network/ssh:default
+link path=usr/share/man/man1/scp.1 target=./scp.openssh.1 mediator=ssh \
+    mediator-implementation=openssh
+file usr/share/man/man1/scp.1 path=usr/share/man/man1/scp.openssh.1 mode=0444
+link path=usr/share/man/man1/sftp.1 target=./sftp.openssh.1 mediator=ssh \
+    mediator-implementation=openssh
+file usr/share/man/man1/sftp.1 path=usr/share/man/man1/sftp.openssh.1 mode=0444
+link path=usr/share/man/man1/ssh-add.1 target=./ssh-add.openssh.1 mediator=ssh \
+    mediator-implementation=openssh
+file usr/share/man/man1/ssh-add.1 path=usr/share/man/man1/ssh-add.openssh.1 \
+    mode=0444
+link path=usr/share/man/man1/ssh-agent.1 target=./ssh-agent.openssh.1 \
+    mediator=ssh mediator-implementation=openssh
+file usr/share/man/man1/ssh-agent.1 \
+    path=usr/share/man/man1/ssh-agent.openssh.1 mode=0444
+link path=usr/share/man/man1/ssh-keygen.1 target=./ssh-keygen.openssh.1 \
+    mediator=ssh mediator-implementation=openssh
+file usr/share/man/man1/ssh-keygen.1 \
+    path=usr/share/man/man1/ssh-keygen.openssh.1 mode=0444
+link path=usr/share/man/man1/ssh-keyscan.1 target=./ssh-keyscan.openssh.1 \
+    mediator=ssh mediator-implementation=openssh
+file usr/share/man/man1/ssh-keyscan.1 \
+    path=usr/share/man/man1/ssh-keyscan.openssh.1 mode=0444
+link path=usr/share/man/man1/ssh.1 target=./ssh.openssh.1 mediator=ssh \
+    mediator-implementation=openssh
+file usr/share/man/man1/ssh.1 path=usr/share/man/man1/ssh.openssh.1 mode=0444
+link path=usr/share/man/man1m/sftp-server.1m target=./sftp-server.openssh.1m \
+    mediator=ssh mediator-implementation=openssh
+file usr/share/man/man8/sftp-server.8 \
+    path=usr/share/man/man1m/sftp-server.openssh.1m
+link path=usr/share/man/man1m/ssh-keysign.1m target=./ssh-keysign.openssh.1m \
+    mediator=ssh mediator-implementation=openssh
+file usr/share/man/man8/ssh-keysign.8 \
+    path=usr/share/man/man1m/ssh-keysign.openssh.1m
+link path=usr/share/man/man1m/ssh-pkcs11-helper.1m \
+    target=./ssh-pkcs11-helper.openssh.1m mediator=ssh \
+    mediator-implementation=openssh
+file usr/share/man/man8/ssh-pkcs11-helper.8 \
+    path=usr/share/man/man1m/ssh-pkcs11-helper.openssh.1m
+link path=usr/share/man/man1m/sshd.1m target=./sshd.openssh.1m mediator=ssh \
+    mediator-implementation=openssh
+file usr/share/man/man8/sshd.8 path=usr/share/man/man1m/sshd.openssh.1m
+link path=usr/share/man/man4/moduli.4 target=./moduli.openssh.4 mediator=ssh \
+    mediator-implementation=openssh
+file usr/share/man/man5/moduli.5 path=usr/share/man/man4/moduli.openssh.4
+link path=usr/share/man/man4/ssh_config.4 target=./ssh_config.openssh.4 \
+    mediator=ssh mediator-implementation=openssh
+file usr/share/man/man5/ssh_config.5 \
+    path=usr/share/man/man4/ssh_config.openssh.4
+link path=usr/share/man/man4/sshd_config.4 target=./sshd_config.openssh.4 \
+    mediator=ssh mediator-implementation=openssh
+file usr/share/man/man5/sshd_config.5 \
+    path=usr/share/man/man4/sshd_config.openssh.4
+dir  path=var/empty owner=root group=sys mode=0755
+group groupname=sshd gid=22
+user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \
+    home-dir=/var/empty login-shell=/bin/false uid=22
+license openssh.license license="BSD, BSD-like"
+depend type=require fmri=service/network/ssh-common
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/001-skip_config_check.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,27 @@
+#
+# This change is to remove some misleading error messages when running 
+# "gmake install". OpenSSH mixes the building and running together. Some 
+# system setup checking for running the program needs to be removed, because
+# they are not suitable in a build system.  This is for Solaris only, so we
+# will not contribute back this change to the upstream community.
+#
+--- orig/Makefile.in	Wed Mar 27 16:56:36 2013
++++ new/Makefile.in	Wed Mar 27 17:05:06 2013
[email protected]@ -237,7 +237,16 @@
+ install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ 
+ check-config:
+-	-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
++# On Solaris, to workaround OpenSSH's unlucky mixing of 'building ssh' and
++# 'running ssh', on build machine the following requisites shouldn't be
++# enforced:
++#     1) existence of privsep user sshd
++#     2) existence of privsep directory /var/empty
++#     3) read permissions for /etc/ssh/ssh_host_[rsa,dsa]_key 
++#
++#	-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
++#
++	@echo 'Oracle Solaris: skipping check-config'
+ 
+ install-files:
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/002-pam_support.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,42 @@
+#
+# To comply to the Solaris PAM policy, the UsePAM option is changed to be
+# always on and not configurable on Solaris.  This is for Solaris only, so we
+# will not contribute the changes to the upstream community.
+#
+*** orig/servconf.c	Mon Dec  5 17:23:03 2011
+--- new/servconf.c	Wed Dec  7 13:41:04 2011
+***************
+*** 145,151 ****
+--- 145,156 ----
+  {
+  	/* Portable-specific options */
+  	if (options->use_pam == -1)
++ #ifdef SET_USE_PAM
++ 		/* use_pam should be always set to 1 on Solaris */
++ 		options->use_pam = 1;
++ #else
+  		options->use_pam = 0;
++ #endif
+  
+  	/* Standard Options */
+  	if (options->protocol == SSH_PROTO_UNKNOWN)
+***************
+*** 755,762 ****
+--- 760,776 ----
+  	switch (opcode) {
+  	/* Portable-specific options */
+  	case sUsePAM:
++ #ifdef SET_USE_PAM
++ 		/* UsePAM is always on and not configurable on Solaris */
++ 		logit("%s line %d: ignoring UsePAM option value."
++ 		    " This option is always on.", filename, linenum);
++ 		while (arg)
++ 			arg = strdelim(&cp);
++ 		break; 
++ #else
+  		intptr = &options->use_pam;
+  		goto parse_flag;
++ #endif
+  
+  	/* Standard Options */
+  	case sBadOption:
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/003-last_login.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,90 @@
+#
+# We changed the OpenSSH to not record the last login time when the "UsePAM"
+# option is on, because the PAM session module in Solaris will record the last
+# login time.  This is for Solaris only, so we will not contribute back this
+# change to the upstream community.
+#
+*** orig/sshd.c	Thu Oct  4 16:08:28 2012
+--- new/sshd.c	Thu Oct  4 16:06:05 2012
+***************
+*** 128,133 ****
+--- 128,137 ----
+  int deny_severity;
+  #endif /* LIBWRAP */
+  
++ #if defined(LASTLOG_FIX) && defined(USE_PAM)
++ #include "sshlogin.h"
++ #endif
++ 
+  #ifndef O_NOCTTY
+  #define O_NOCTTY	0
+  #endif
+***************
+*** 2028,2033 ****
+--- 2032,2041 ----
+  #endif
+  #ifdef USE_PAM
+  	if (options.use_pam) {
++ #ifdef LASTLOG_FIX
++ 		store_lastlog_message(authctxt->pw->pw_name,
++ 		    authctxt->pw->pw_uid);
++ #endif
+  		do_pam_setcred(1);
+  		do_pam_session();
+  	}
+*** orig/sshlogin.h	Thu Oct  4 16:08:54 2012
+--- new/sshlogin.h	Thu Oct  4 16:06:31 2012
+***************
+*** 14,19 ****
+--- 14,22 ----
+  
+  void	record_login(pid_t, const char *, const char *, uid_t,
+      const char *, struct sockaddr *, socklen_t);
++ #ifdef LASTLOG_FIX
++ void store_lastlog_message(const char *, uid_t);
++ #endif
+  void   record_logout(pid_t, const char *, const char *);
+  time_t	get_last_login_time(uid_t, const char *, char *, u_int);
+  
+*** orig/sshlogin.c	Thu Oct  4 16:08:42 2012
+--- new/sshlogin.c	Thu Oct  4 16:35:27 2012
+***************
+*** 83,89 ****
+--- 83,93 ----
+   * Generate and store last login message.  This must be done before
+   * login_login() is called and lastlog is updated.
+   */
++ #ifndef LASTLOG_FIX
+  static void
++ #else
++ void
++ #endif
+  store_lastlog_message(const char *user, uid_t uid)
+  {
+  #ifndef NO_SSH_LASTLOG
+***************
+*** 128,133 ****
+--- 132,141 ----
+  {
+  	struct logininfo *li;
+  
++ #ifdef LASTLOG_FIX
++ 	/* In Solaris, PAM takes care of last login tracking */
++         if (!options.use_pam) {
++ #endif
+  	/* save previous login details before writing new */
+  	store_lastlog_message(user, uid);
+  
+***************
+*** 135,140 ****
+--- 143,152 ----
+  	login_set_addr(li, addr, addrlen);
+  	login_login(li);
+  	login_free_entry(li);
++ 
++ #ifdef LASTLOG_FIX
++ 	}
++ #endif
+  }
+  
+  #ifdef LOGIN_NEEDS_UTMPX
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/004-broken_bsm_api.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,30 @@
+#
+# OpenSSH has special hacks in the code to deal with Solaris private API
+# changes in audit (au_close, getacna) for S11. This patch merely modifies the
+# configure script to consider any S11+ a 'newer Solaris' too, not just S11.
+#
+# We reported this problem to the OpenSSH upstream community on Dec 06 2013.
+# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2178
+#
+--- openssh-6.0p1/configure	2012-04-19 22:03:38.000000000 -0700
++++ new/configure	2013-01-10 03:10:29.200564881 -0800
[email protected]@ -9393,7 +9393,7 @@
+ 
+ $as_echo "#define USE_BSM_AUDIT 1" >>confdefs.h
+ 
+-		if test "$sol2ver" -eq 11; then
++		if test "$sol2ver" -ge 11; then
+ 		   	SSHDLIBS="$SSHDLIBS -lscf"
+ 
+ $as_echo "#define BROKEN_BSM_API 1" >>confdefs.h
+--- openssh-6.0p1/configure.ac	2013-12-05 05:31:15.809371483 -0800
++++ new/configure.ac	2013-12-05 05:31:25.689099600 -0800
[email protected]@ -1483,7 +1483,7 @@
+ 		# These are optional
+ 		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
+ 		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
+-		if test "$sol2ver" -eq 11; then
++		if test "$sol2ver" -ge 11; then
+ 		   	SSHDLIBS="$SSHDLIBS -lscf"
+                    	AC_DEFINE([BROKEN_BSM_API], [1], 
+ 		        	  [The system has incomplete BSM API])
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/005-openssh_krb5_build_fix.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,142 @@
+#
+# This is to work around an unresloved symbol problem with the Kerberos
+# build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function
+# is not supported on Solaris, because it violates API abstraction. This
+# workaround disables delegated credentials storing on server side.  
+#
+# The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos
+# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project). 
+# After that, function gss_krb5_copy_ccache() will be available in Solaris and
+# the delegating credentials functionality will be made available using the
+# upstream code.
+#
+diff -ur old/configure new/configure
+--- old/configure	2012-10-22 01:40:00.738542671 -0700
++++ new/configure	2012-10-22 02:18:52.991019932 -0700
[email protected]@ -15022,6 +15022,12 @@
+ 			fi
+ 			K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"
+ 			K5LIBS="`$KRB5CONF --libs $k5confopts`"
++
++			# Oracle Solaris
++			# OpenSSH is mixed-up gssapi AND krb5 aplication
++			K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
++			K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
++
+ 			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
+ 			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
+ $as_echo_n "checking whether we are using Heimdal... " >&6; }
+diff -ru old/ssh-gss.h new/ssh-gss.h
+--- old/ssh-gss.h	2012-10-22 02:42:41.469718263 -0700
++++ new/ssh-gss.h	2012-10-22 02:52:00.222302785 -0700
[email protected]@ -45,7 +45,13 @@
+ /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
+ 
+ #ifndef GSS_C_NT_HOSTBASED_SERVICE
++/* 
++ * on Solaris in gssapi.h there is: 
++ *     extern const gss_OID GSS_C_NT_HOSTBASED_SERVICE; 
++ */
++#ifndef KRB5_BUILD_FIX
+ #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
++#endif /* KRB5_BUILD_FIX */
+ #endif /* GSS_C_NT_... */
+ #endif /* !HEIMDAL */
+ #endif /* KRB5 */
+diff -u -r old/auth2-gss.c new/auth2-gss.c
+--- old/auth2-gss.c	2011-05-04 21:04:11.000000000 -0700
++++ new/auth2-gss.c	2012-10-25 02:57:42.332456661 -0700
[email protected]@ -47,6 +47,10 @@
+ 
+ extern ServerOptions options;
+ 
++#ifdef KRB5_BUILD_FIX
++	extern gss_OID_set g_supported;
++#endif
++
+ static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
+ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
+ static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
[email protected]@ -77,7 +81,12 @@
+ 		return (0);
+ 	}
+ 
++#ifdef KRB5_BUILD_FIX
++	/* use value obtained in privileged parent */
++	supported = g_supported;
++#else
+ 	ssh_gssapi_supported_oids(&supported);
++#endif
+ 	do {
+ 		mechs--;
+ 
+diff -u -r old/sshd.c new/sshd.c
+--- old/sshd.c	2012-10-22 01:28:17.260247177 -0700
++++ new/sshd.c	2012-10-25 02:53:41.663248837 -0700
[email protected]@ -257,6 +257,11 @@
+ /* Unprivileged user */
+ struct passwd *privsep_pw = NULL;
+ 
++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
++/* Temporary storing supported GSS mechs */
++gss_OID_set g_supported;
++#endif
++
+ /* Prototypes for various functions defined later in this file. */
+ void destroy_sensitive_data(void);
+ void demote_sensitive_data(void);
[email protected]@ -1351,6 +1356,9 @@
+ 	compat_init_setproctitle(ac, av);
+ 	av = saved_argv;
+ #endif
++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
++	OM_uint32 ms;
++#endif
+ 
+ 	if (geteuid() == 0 && setgroups(0, NULL) == -1)
+ 		debug("setgroups(): %.200s", strerror(errno));
[email protected]@ -1984,6 +1992,11 @@
+ 	buffer_init(&loginmsg);
+ 	auth_debug_reset();
+ 
++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
++	/* collect gss mechs for later use in privsep child */
++	ssh_gssapi_supported_oids(&g_supported);
++#endif
++
+ 	if (use_privsep)
+ 		if (privsep_preauth(authctxt) == 1)
+ 			goto authenticated;
[email protected]@ -2018,6 +2031,9 @@
+ 		close(startup_pipe);
+ 		startup_pipe = -1;
+ 	}
++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
++	gss_release_oid_set(&ms, &g_supported);
++#endif 
+ 
+ #ifdef SSH_AUDIT_EVENTS
+ 	audit_event(SSH_AUTH_SUCCESS);
+--- old/gss-serv-krb5.c	2006-08-31 22:38:36.000000000 -0700
++++ new/gss-serv-krb5.c	2012-10-25 03:09:36.080638790 -0700
[email protected]@ -126,6 +126,12 @@
+ 		return;
+ 	}
+ 
++#ifdef KRB5_BUILD_FIX
++	/* currently unimplemented - print an error, but continue */
++	error("Delegated credentials storing not implemented.");
++	return;
++#else
++
+ 	if (ssh_gssapi_krb5_init() == 0)
+ 		return;
+ 
[email protected]@ -182,6 +188,7 @@
+ 	krb5_cc_close(krb_context, ccache);
+ 
+ 	return;
++#endif /* KRB5_BUILD_FIX */
+ }
+ 
+ ssh_gssapi_mech gssapi_kerberos_mech = {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/006-umac_align_fix.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,49 @@
+#
+# This is to fix an alignment problem on Sparc.  We reported the problem to the
+# OpenSSH upstream community with suggested fixes in May 2013. The upstream 
+# accepted the union fix and has integrated the fix in the 6.3 release. In the 
+# future, when we upgrade OpenSSH to 6.3 or later, we should remove this patch.
+# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2101
+#
+--- orig/mac.c	Fri Sep 20 14:53:41 2013
++++ new/mac.c	Fri Sep 20 15:04:13 2013
[email protected]@ -132,12 +132,15 @@
+ u_char *
+ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
+ {
+-	static u_char m[EVP_MAX_MD_SIZE];
++	static union {
++		u_char m[EVP_MAX_MD_SIZE];
++		u_int64_t for_align;
++	} u;
+ 	u_char b[4], nonce[8];
+ 
+-	if (mac->mac_len > sizeof(m))
++	if (mac->mac_len > sizeof(u))
+ 		fatal("mac_compute: mac too long %u %lu",
+-		    mac->mac_len, (u_long)sizeof(m));
++		    mac->mac_len, (u_long)sizeof(u));
+ 
+ 	switch (mac->type) {
+ 	case SSH_EVP:
[email protected]@ -146,17 +149,17 @@
+ 		HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
+ 		HMAC_Update(&mac->evp_ctx, b, sizeof(b));
+ 		HMAC_Update(&mac->evp_ctx, data, datalen);
+-		HMAC_Final(&mac->evp_ctx, m, NULL);
++		HMAC_Final(&mac->evp_ctx, u.m, NULL);
+ 		break;
+ 	case SSH_UMAC:
+ 		put_u64(nonce, seqno);
+ 		umac_update(mac->umac_ctx, data, datalen);
+-		umac_final(mac->umac_ctx, m, nonce);
++		umac_final(mac->umac_ctx, u.m, nonce);
+ 		break;
+ 	default:
+ 		fatal("mac_compute: unknown MAC type");
+ 	}
+-	return (m);
++	return (u.m);
+ }
+ 
+ void
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/007-manpages.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,701 @@
+#
+# OpenSSH uses the BSD/Linux man page scheme which is different from the SysV
+# man page scheme used in Solaris.  In order to comply to the Solaris man page
+# policy and also use the IPS mediator to switch between SunSSH and OpenSSH man
+# pages, the section numbers of some OpenSSH man pages are changed to be as 
+# same as their corresponding ones in SunSSH.
+#
+--- orig/moduli.5	Thu Jan 10 15:04:00 2013
++++ new/moduli.5	Thu Jan 10 17:25:53 2013
[email protected]@ -14,7 +14,7 @@
+ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ .Dd $Mdocdate: October 14 2010 $
+-.Dt MODULI 5
++.Dt MODULI 4
+ .Os
+ .Sh NAME
+ .Nm moduli
[email protected]@ -23,7 +23,7 @@
+ The
+ .Pa /etc/moduli
+ file contains prime numbers and generators for use by
+-.Xr sshd 8
++.Xr sshd 1M
+ in the Diffie-Hellman Group Exchange key exchange method.
+ .Pp
+ New moduli may be generated with
[email protected]@ -40,7 +40,7 @@
+ .Ic ssh-keygen -T ,
+ provides a high degree of assurance that the numbers are prime and are
+ safe for use in Diffie-Hellman operations by
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ This
+ .Nm
+ format is used as the output from each pass.
[email protected]@ -70,7 +70,7 @@
+ Further primality testing with
+ .Xr ssh-keygen 1
+ produces safe prime moduli (type 2) that are ready for use in
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ Other types are not used by OpenSSH.
+ .It tests
+ Decimal number indicating the type of primality tests that the number
[email protected]@ -105,16 +105,16 @@
+ .El
+ .Pp
+ When performing Diffie-Hellman Group Exchange,
+-.Xr sshd 8
++.Xr sshd 1M
+ first estimates the size of the modulus required to produce enough
+ Diffie-Hellman output to sufficiently key the selected symmetric cipher.
+-.Xr sshd 8
++.Xr sshd 1M
+ then randomly selects a modulus from
+ .Fa /etc/moduli
+ that best meets the size requirement.
+ .Sh SEE ALSO
+ .Xr ssh-keygen 1 ,
+-.Xr sshd 8
++.Xr sshd 1M
+ .Rs
+ .%R RFC 4419
+ .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
+--- orig/sftp-server.8	Thu Jan 10 15:04:00 2013
++++ new/sftp-server.8	Thu Jan 10 15:48:21 2013
[email protected]@ -23,7 +23,7 @@
+ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ .\"
+ .Dd $Mdocdate: January 9 2010 $
+-.Dt SFTP-SERVER 8
++.Dt SFTP-SERVER 1M
+ .Os
+ .Sh NAME
+ .Nm sftp-server
[email protected]@ -40,7 +40,7 @@
+ to stdout and expects client requests from stdin.
+ .Nm
+ is not intended to be called directly, but from
+-.Xr sshd 8
++.Xr sshd 1M
+ using the
+ .Cm Subsystem
+ option.
[email protected]@ -51,7 +51,7 @@
+ .Cm Subsystem
+ declaration.
+ See
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ for more information.
+ .Pp
+ Valid options are:
[email protected]@ -106,8 +106,8 @@
+ .Sh SEE ALSO
+ .Xr sftp 1 ,
+ .Xr ssh 1 ,
+-.Xr sshd_config 5 ,
+-.Xr sshd 8
++.Xr sshd_config 4 ,
++.Xr sshd 1M
+ .Rs
+ .%A T. Ylonen
+ .%A S. Lehtinen
+--- orig/ssh_config.5	Thu Jan 10 15:04:00 2013
++++ new/ssh_config.5	Thu Jan 10 15:48:48 2013
[email protected]@ -35,7 +35,7 @@
+ .\"
+ .\" $OpenBSD: ssh_config.5,v 1.154 2011/09/09 00:43:00 djm Exp $
+ .Dd $Mdocdate: September 9 2011 $
+-.Dt SSH_CONFIG 5
++.Dt SSH_CONFIG 4
+ .Os
+ .Sh NAME
+ .Nm ssh_config
[email protected]@ -353,7 +353,7 @@
+ .Dq Fl O No exit
+ option).
+ If set to a time in seconds, or a time in any of the formats documented in
+-.Xr sshd_config 5 ,
++.Xr sshd_config 4 ,
+ then the backgrounded master connection will automatically terminate
+ after it has remained idle (with no client connections) for the
+ specified time.
[email protected]@ -473,7 +473,7 @@
+ using the format described in the
+ .Sx TIME FORMATS
+ section of
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ X11 connections received by
+ .Xr ssh 1
+ after this time will be refused.
[email protected]@ -540,7 +540,7 @@
+ These hashed names may be used normally by
+ .Xr ssh 1
+ and
+-.Xr sshd 8 ,
++.Xr sshd 1M ,
+ but they do not reveal identifying information should the file's contents
+ be disclosed.
+ The default is
[email protected]@ -885,7 +885,7 @@
+ The command can be basically anything,
+ and should read from its standard input and write to its standard output.
+ It should eventually connect an
+-.Xr sshd 8
++.Xr sshd 1M
+ server running on some machine, or execute
+ .Ic sshd -i
+ somewhere.
[email protected]@ -967,7 +967,7 @@
+ will only succeed if the server's
+ .Cm GatewayPorts
+ option is enabled (see
+-.Xr sshd_config 5 ) .
++.Xr sshd_config 4 ) .
+ .It Cm RequestTTY
+ Specifies whether to request a pseudo-tty for the session.
+ The argument may be one of:
[email protected]@ -1019,7 +1019,7 @@
+ Refer to
+ .Cm AcceptEnv
+ in
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ for how to configure the server.
+ Variables are specified by name, which may contain wildcard characters.
+ Multiple environment variables may be separated by whitespace or spread
+--- orig/ssh-keysign.8	Thu Jan 10 15:04:00 2013
++++ new/ssh-keysign.8	Thu Jan 10 15:49:23 2013
[email protected]@ -23,7 +23,7 @@
+ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ .\"
+ .Dd $Mdocdate: August 31 2010 $
+-.Dt SSH-KEYSIGN 8
++.Dt SSH-KEYSIGN 1M
+ .Os
+ .Sh NAME
+ .Nm ssh-keysign
[email protected]@ -52,7 +52,7 @@
+ See
+ .Xr ssh 1
+ and
+-.Xr sshd 8
++.Xr sshd 1M
+ for more information about host-based authentication.
+ .Sh FILES
+ .Bl -tag -width Ds -compact
[email protected]@ -81,8 +81,8 @@
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-keygen 1 ,
+-.Xr ssh_config 5 ,
+-.Xr sshd 8
++.Xr ssh_config 4 ,
++.Xr sshd 1M
+ .Sh HISTORY
+ .Nm
+ first appeared in
+--- orig/ssh-pkcs11-helper.8	Thu Jan 10 15:04:00 2013
++++ new/ssh-pkcs11-helper.8	Thu Jan 10 15:49:48 2013
[email protected]@ -15,7 +15,7 @@
+ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ .\"
+ .Dd $Mdocdate: February 10 2010 $
+-.Dt SSH-PKCS11-HELPER 8
++.Dt SSH-PKCS11-HELPER 1M
+ .Os
+ .Sh NAME
+ .Nm ssh-pkcs11-helper
+--- orig/sshd_config.5	Thu Jan 10 15:04:00 2013
++++ new/sshd_config.5	Fri Jan 11 15:56:09 2013
[email protected]@ -35,7 +35,7 @@
+ .\"
+ .\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $
+ .Dd $Mdocdate: September 9 2011 $
+-.Dt SSHD_CONFIG 5
++.Dt SSHD_CONFIG 4
+ .Os
+ .Sh NAME
+ .Nm sshd_config
[email protected]@ -43,7 +43,7 @@
+ .Sh SYNOPSIS
+ .Nm /etc/ssh/sshd_config
+ .Sh DESCRIPTION
+-.Xr sshd 8
++.Xr sshd 1M
+ reads configuration data from
+ .Pa /etc/ssh/sshd_config
+ (or the file specified with
[email protected]@ -68,7 +68,7 @@
+ See
+ .Cm SendEnv
+ in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for how to configure the client.
+ Note that environment passing is only supported for protocol 2.
+ Variables are specified by name, which may contain the wildcard characters
[email protected]@ -85,7 +85,7 @@
+ The default is not to accept any environment variables.
+ .It Cm AddressFamily
+ Specifies which address family should be used by
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ Valid arguments are
+ .Dq any ,
+ .Dq inet
[email protected]@ -120,7 +120,7 @@
+ See
+ .Sx PATTERNS
+ in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .It Cm AllowTcpForwarding
+ Specifies whether TCP forwarding is permitted.
[email protected]@ -149,7 +149,7 @@
+ See
+ .Sx PATTERNS
+ in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .It Cm AuthorizedKeysFile
+ Specifies the file that contains the public keys that can be used
[email protected]@ -157,7 +157,7 @@
+ The format is described in the
+ .Sx AUTHORIZED_KEYS FILE FORMAT
+ section of
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ .Cm AuthorizedKeysFile
+ may contain tokens of the form %T which are substituted during connection
+ setup.
[email protected]@ -182,7 +182,7 @@
+ in
+ .Sx AUTHORIZED_KEYS FILE FORMAT
+ in
+-.Xr sshd 8 ) .
++.Xr sshd 1M ) .
+ Empty lines and comments starting with
+ .Ql #
+ are ignored.
[email protected]@ -210,7 +210,7 @@
+ though the
+ .Cm principals=
+ key option offers a similar facility (see
+-.Xr sshd 8
++.Xr sshd 1M
+ for details).
+ .It Cm Banner
+ The contents of the specified file are sent to the remote user before
[email protected]@ -233,7 +233,7 @@
+ All components of the pathname must be root-owned directories that are
+ not writable by any other user or group.
+ After the chroot,
+-.Xr sshd 8
++.Xr sshd 1M
+ changes the working directory to the user's home directory.
+ .Pp
+ The pathname may contain the following tokens that are expanded at runtime once
[email protected]@ -266,7 +266,7 @@
+ though sessions which use logging do require
+ .Pa /dev/log
+ inside the chroot directory (see
+-.Xr sftp-server 8
++.Xr sftp-server 1M
+ for details).
+ .Pp
+ The default is not to
[email protected]@ -297,7 +297,7 @@
+ .It Cm ClientAliveCountMax
+ Sets the number of client alive messages (see below) which may be
+ sent without
+-.Xr sshd 8
++.Xr sshd 1M
+ receiving any messages back from the client.
+ If this threshold is reached while client alive messages are being sent,
+ sshd will disconnect the client, terminating the session.
[email protected]@ -324,7 +324,7 @@
+ .It Cm ClientAliveInterval
+ Sets a timeout interval in seconds after which if no data has been received
+ from the client,
+-.Xr sshd 8
++.Xr sshd 1M
+ will send a message through the encrypted
+ channel to request a response from the client.
+ The default
[email protected]@ -357,7 +357,7 @@
+ See
+ .Sx PATTERNS
+ in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .It Cm DenyUsers
+ This keyword can be followed by a list of user name patterns, separated
[email protected]@ -378,7 +378,7 @@
+ See
+ .Sx PATTERNS
+ in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .It Cm ForceCommand
+ Forces the execution of the command specified by
[email protected]@ -403,7 +403,7 @@
+ Specifies whether remote hosts are allowed to connect to ports
+ forwarded for the client.
+ By default,
+-.Xr sshd 8
++.Xr sshd 1M
+ binds remote port forwardings to the loopback address.
+ This prevents other remote hosts from connecting to forwarded ports.
+ .Cm GatewayPorts
[email protected]@ -451,7 +451,7 @@
+ A setting of
+ .Dq yes
+ means that
+-.Xr sshd 8
++.Xr sshd 1M
+ uses the name supplied by the client rather than
+ attempting to resolve the name from the TCP connection itself.
+ The default is
[email protected]@ -462,7 +462,7 @@
+ by
+ .Cm HostKey .
+ The default behaviour of
+-.Xr sshd 8
++.Xr sshd 1M
+ is not to load any certificates.
+ .It Cm HostKey
+ Specifies a file containing a private host key
[email protected]@ -476,7 +476,7 @@
+ .Pa /etc/ssh/ssh_host_rsa_key
+ for protocol version 2.
+ Note that
+-.Xr sshd 8
++.Xr sshd 1M
+ will refuse to use a file if it is group/world-accessible.
+ It is possible to have multiple host key files.
+ .Dq rsa1
[email protected]@ -504,7 +504,7 @@
+ .Dq yes .
+ .It Cm IgnoreUserKnownHosts
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should ignore the user's
+ .Pa ~/.ssh/known_hosts
+ during
[email protected]@ -580,7 +580,7 @@
+ Multiple algorithms must be comma-separated.
+ The default is
+ .Dq ecdh-sha2-nistp256 ,
+-.Dq ecdh-sha2-nistp384 ,
++.Dq ecdh-sha2-nistp834 ,
+ .Dq ecdh-sha2-nistp521 ,
+ .Dq diffie-hellman-group-exchange-sha256 ,
+ .Dq diffie-hellman-group-exchange-sha1 ,
[email protected]@ -597,7 +597,7 @@
+ The default is 3600 (seconds).
+ .It Cm ListenAddress
+ Specifies the local addresses
+-.Xr sshd 8
++.Xr sshd 1M
+ should listen on.
+ The following forms may be used:
+ .Pp
[email protected]@ -640,7 +640,7 @@
+ The default is 120 seconds.
+ .It Cm LogLevel
+ Gives the verbosity level that is used when logging messages from
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ The possible values are:
+ QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+ The default is INFO.
[email protected]@ -681,7 +681,7 @@
+ lists and may use the wildcard and negation operators described in the
+ .Sx PATTERNS
+ section of
+-.Xr ssh_config 5 .
++.Xr ssh_config 4 .
+ .Pp
+ The patterns in an
+ .Cm Address
[email protected]@ -751,7 +751,7 @@
+ the three colon separated values
+ .Dq start:rate:full
+ (e.g. "10:30:60").
+-.Xr sshd 8
++.Xr sshd 1M
+ will refuse connection attempts with a probability of
+ .Dq rate/100
+ (30%)
[email protected]@ -855,7 +855,7 @@
+ options in
+ .Pa ~/.ssh/authorized_keys
+ are processed by
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ The default is
+ .Dq no .
+ Enabling environment processing may enable users to bypass access
[email protected]@ -868,7 +868,7 @@
+ .Pa /var/run/sshd.pid .
+ .It Cm Port
+ Specifies the port number that
+-.Xr sshd 8
++.Xr sshd 1M
+ listens on.
+ The default is 22.
+ Multiple options of this type are permitted.
[email protected]@ -876,7 +876,7 @@
+ .Cm ListenAddress .
+ .It Cm PrintLastLog
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should print the date and time of the last user login when a user logs
+ in interactively.
+ The default is
[email protected]@ -883,7 +883,7 @@
+ .Dq yes .
+ .It Cm PrintMotd
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should print
+ .Pa /etc/motd
+ when a user logs in interactively.
[email protected]@ -891,10 +891,11 @@
+ .Pa /etc/profile ,
+ or equivalent.)
+ The default is
+-.Dq yes .
++.Dq no
++on Solaris.
+ .It Cm Protocol
+ Specifies the protocol versions
+-.Xr sshd 8
++.Xr sshd 1M
+ supports.
+ The possible values are
+ .Sq 1
[email protected]@ -936,7 +937,7 @@
+ The minimum value is 512, and the default is 1024.
+ .It Cm StrictModes
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should check file modes and ownership of the
+ user's files and home directory before accepting login.
+ This is normally desirable because novices sometimes accidentally leave their
[email protected]@ -952,7 +953,7 @@
+ to execute upon subsystem request.
+ .Pp
+ The command
+-.Xr sftp-server 8
++.Xr sftp-server 1M
+ implements the
+ .Dq sftp
+ file transfer subsystem.
[email protected]@ -970,7 +971,7 @@
+ Note that this option applies to protocol version 2 only.
+ .It Cm SyslogFacility
+ Gives the facility code that is used when logging messages from
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+ LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
[email protected]@ -1013,7 +1014,7 @@
+ .Xr ssh-keygen 1 .
+ .It Cm UseDNS
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should look up the remote host name and check that
+ the resolved host name for the remote IP address maps back to the
+ very same IP address.
[email protected]@ -1058,13 +1059,14 @@
+ If
+ .Cm UsePAM
+ is enabled, you will not be able to run
+-.Xr sshd 8
++.Xr sshd 1M
+ as a non-root user.
+ The default is
+-.Dq no .
++.Dq yes
++on Solaris.
+ .It Cm UsePrivilegeSeparation
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ separates privileges by creating an unprivileged child process
+ to deal with incoming network traffic.
+ After successful authentication, another process will be created that has
[email protected]@ -1081,7 +1083,7 @@
+ restrictions.
+ .It Cm X11DisplayOffset
+ Specifies the first display number available for
+-.Xr sshd 8 Ns 's
++.Xr sshd 1M Ns 's
+ X11 forwarding.
+ This prevents sshd from interfering with real X11 servers.
+ The default is 10.
[email protected]@ -1096,7 +1098,7 @@
+ .Pp
+ When X11 forwarding is enabled, there may be additional exposure to
+ the server and to client displays if the
+-.Xr sshd 8
++.Xr sshd 1M
+ proxy display is configured to listen on the wildcard address (see
+ .Cm X11UseLocalhost
+ below), though this is not the default.
[email protected]@ -1107,7 +1109,7 @@
+ forwarding (see the warnings for
+ .Cm ForwardX11
+ in
+-.Xr ssh_config 5 ) .
++.Xr ssh_config 4 ) .
+ A system administrator may have a stance in which they want to
+ protect clients that may expose themselves to attack by unwittingly
+ requesting X11 forwarding, which can warrant a
[email protected]@ -1121,7 +1123,7 @@
+ is enabled.
+ .It Cm X11UseLocalhost
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should bind the X11 forwarding server to the loopback address or to
+ the wildcard address.
+ By default,
[email protected]@ -1152,7 +1154,7 @@
+ .Pa /usr/X11R6/bin/xauth .
+ .El
+ .Sh TIME FORMATS
+-.Xr sshd 8
++.Xr sshd 1M
+ command-line arguments and configuration file options that specify time
+ may be expressed using a sequence of the form:
+ .Sm off
[email protected]@ -1196,12 +1198,12 @@
+ .Bl -tag -width Ds
+ .It Pa /etc/ssh/sshd_config
+ Contains configuration data for
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ This file should be writable by root only, but it is recommended
+ (though not necessary) that it be world-readable.
+ .El
+ .Sh SEE ALSO
+-.Xr sshd 8
++.Xr sshd 1M
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
+--- orig/sshd.8	Thu Jan 10 15:04:00 2013
++++ new/sshd.8	Thu Jan 10 15:53:31 2013
[email protected]@ -35,7 +35,7 @@
+ .\"
+ .\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $
+ .Dd $Mdocdate: September 23 2011 $
+-.Dt SSHD 8
++.Dt SSHD 1M
+ .Os
+ .Sh NAME
+ .Nm sshd
[email protected]@ -79,7 +79,7 @@
+ .Nm
+ can be configured using command-line options or a configuration file
+ (by default
+-.Xr sshd_config 5 ) ;
++.Xr sshd_config 4 ) ;
+ command-line options override values specified in the
+ configuration file.
+ .Nm
[email protected]@ -204,7 +204,7 @@
+ This is useful for specifying options for which there is no separate
+ command-line flag.
+ For full details of the options, and their values, see
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ .It Fl p Ar port
+ Specifies the port on which the server listens for connections
+ (default 22).
[email protected]@ -274,7 +274,7 @@
+ though this can be changed via the
+ .Cm Protocol
+ option in
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ Protocol 2 supports DSA, ECDSA and RSA keys;
+ protocol 1 only supports RSA keys.
+ For both protocols,
[email protected]@ -399,7 +399,7 @@
+ See the
+ .Cm PermitUserEnvironment
+ option in
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ .It
+ Changes to user's home directory.
+ .It
[email protected]@ -542,7 +542,7 @@
+ environment variable.
+ Note that this option applies to shell, command or subsystem execution.
+ Also note that this command may be superseded by either a
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ .Cm ForceCommand
+ directive or a command embedded in a certificate.
+ .It Cm environment="NAME=value"
[email protected]@ -565,7 +565,7 @@
+ See
+ .Sx PATTERNS
+ in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .Pp
+ In addition to the wildcard matching that may be applied to hostnames or
[email protected]@ -859,7 +859,7 @@
+ .It Pa /etc/moduli
+ Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+ The file format is described in
+-.Xr moduli 5 .
++.Xr moduli 4 .
+ .Pp
+ .It Pa /etc/motd
+ See
[email protected]@ -918,7 +918,7 @@
+ Contains configuration data for
+ .Nm sshd .
+ The file format and configuration options are described in
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ .Pp
+ .It Pa /etc/ssh/sshrc
+ Similar to
[email protected]@ -954,10 +954,10 @@
+ .Xr chroot 2 ,
+ .Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+-.Xr moduli 5 ,
+-.Xr sshd_config 5 ,
+-.Xr inetd 8 ,
+-.Xr sftp-server 8
++.Xr moduli 4 ,
++.Xr sshd_config 4 ,
++.Xr inetd 1M ,
++.Xr sftp-server 1M
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/008-deprecate_sunssh_opt.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,38 @@
+#
+# To make the transition from SunSSH to OpenSSH as smooth as possible, we
+# added SunSSH-only options as deprecated options in OpenSSH. Note that this
+# is an interim enhancement to OpenSSH to make the transition smoother. If a 
+# deprecated SunSSH-only option is migrated to OpenSSH later, then it will be
+# changed from deprecated to supported. Since this is for Solaris only, we will
+# not contribute back this change to the upstream community.
+#
+--- orig/readconf.c	Thu Nov 15 13:32:50 2012
++++ new/readconf.c	Wed Mar 27 14:51:55 2013
[email protected]@ -246,7 +246,26 @@
+ 	{ "kexalgorithms", oKexAlgorithms },
+ 	{ "ipqos", oIPQoS },
+ 	{ "requesttty", oRequestTTY },
+-
++#ifdef DEPRECATE_SUNSSH_OPT
++	/* 
++	 * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
++	 * as possible, we will deprecate SunSSH-only options in OpenSSH. 
++	 * Therefore, on a system that is running OpenSSH with a deprecated
++	 * option from the user's config file (~/.ssh/config), the ssh
++	 * connection will proceed without the deprecated option. Note that
++	 * this is an interim enhancement to OpenSSH to make the transition
++	 * smoother.  If a deprecated SunSSH-only option is migrated to OpenSSH
++	 * later, then it will be changed from deprecated to supported.
++	 */
++	{ "disablebanner", oDeprecated },
++	{ "gssapikeyexchange", oDeprecated },
++	{ "ignoreifunknown", oDeprecated },
++	{ "kmfpolicydatabase", oDeprecated },
++	{ "kmfpolicyname", oDeprecated },
++	{ "trustedanchorkeystore", oDeprecated },
++	{ "usefips140", oDeprecated },
++	{ "useopensslengine", oDeprecated },
++#endif
+ 	{ NULL, oBadOption }
+ };
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/009-CVE-2010-5107.patch	Fri Dec 20 12:17:34 2013 -0800
@@ -0,0 +1,44 @@
+#
+# This is to fix the CVE-2010-5107 security bug.  The bug fix code came from
+# OpenSSH and is in version 6.2 of OpenSSH.  When we upgrade OpenSSH to
+# version 6.2 or later, we will remove this patch file.
+#
+--- orig/servconf.c	Wed Feb 27 16:03:18 2013
++++ new/servconf.c	Wed Feb 27 16:10:09 2013
[email protected]@ -248,11 +248,11 @@
+ 	if (options->gateway_ports == -1)
+ 		options->gateway_ports = 0;
+ 	if (options->max_startups == -1)
+-		options->max_startups = 10;
++		options->max_startups = 100;
+ 	if (options->max_startups_rate == -1)
+-		options->max_startups_rate = 100;		/* 100% */
++		options->max_startups_rate = 30;		/* 30% */
+ 	if (options->max_startups_begin == -1)
+-		options->max_startups_begin = options->max_startups;
++		options->max_startups_begin = 10;
+ 	if (options->max_authtries == -1)
+ 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ 	if (options->max_sessions == -1)
+--- orig/sshd_config	Wed Feb 27 16:05:01 2013
++++ new/sshd_config	Wed Feb 27 16:11:50 2013
[email protected]@ -104,7 +104,7 @@
+ #ClientAliveCountMax 3
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
++#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ 
+--- orig/sshd_config.5	Wed Feb 27 16:04:36 2013
++++ new/sshd_config.5	Wed Feb 27 16:15:03 2013
[email protected]@ -745,7 +745,7 @@
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
++The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values