PSARC 2014/078 OpenSSH 6.5
authorHuie-Ying Lee <huieying.lee@oracle.com>
Thu, 27 Mar 2014 19:40:44 -0700
changeset 1796 a2310ec32635
parent 1795 a93a51a16131
child 1797 294646fdcae6
PSARC 2014/078 OpenSSH 6.5 18205826 upgrade OpenSSH to 6.5p1 18268681 openssh has non-existent /usr/local/lib in its runpath 18435439 problem in UTILITY/OPENSSH
components/openssh/Makefile
components/openssh/openssh.p5m
components/openssh/patches/004-broken_bsm_api.patch
components/openssh/patches/005-openssh_krb5_build_fix.patch
components/openssh/patches/006-umac_align_fix.patch
components/openssh/patches/007-manpages.patch
components/openssh/patches/008-deprecate_sunssh_opt.patch
components/openssh/patches/009-CVE-2010-5107.patch
components/openssh/patches/010-gss_store_cred.patch
components/openssh/patches/011-useprivilegedport_regression.patch
components/openssh/patches/012-acceptenv.patch
--- a/components/openssh/Makefile	Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/Makefile	Thu Mar 27 19:40:44 2014 -0700
@@ -23,18 +23,18 @@
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		openssh
-COMPONENT_VERSION=	6.0p1
+COMPONENT_VERSION=	6.5p1
 HUMAN_VERSION=		$(COMPONENT_VERSION)
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 
 # Version for IPS.  The encoding rules are:
 #   OpenSSH <x>.<y>p<n>     => IPS <x>.<y>.0.<n>
 #   OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION=	6.0.0.1
+IPS_COMPONENT_VERSION=	6.5.0.1
 
 COMPONENT_PROJECT_URL=	http://www.openssh.org/
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH=	sha256:589d48e952d6c017e667873486b5df63222f9133d417d0002bd6429d9bd882de
+COMPONENT_ARCHIVE_HASH=	sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
 COMPONENT_ARCHIVE_URL=	http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=utility/openssh
 
@@ -63,6 +63,7 @@
 CONFIGURE_OPTIONS += --with-tcp-wrappers
 CONFIGURE_OPTIONS += --with-4in6
 CONFIGURE_OPTIONS += --enable-strip=no
+CONFIGURE_OPTIONS += --without-rpath
 CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh
 CONFIGURE_OPTIONS += --sbindir=/usr/lib/ssh
 CONFIGURE_OPTIONS += --sysconfdir=/etc/ssh
--- a/components/openssh/openssh.p5m	Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/openssh.p5m	Thu Mar 27 19:40:44 2014 -0700
@@ -29,7 +29,7 @@
 set name=pkg.human-version value=$(HUMAN_VERSION)
 set name=com.oracle.info.description \
     value="OpenSSH, a suite of tools that help secure network connections"
-set name=com.oracle.info.tpno value=8209
+set name=com.oracle.info.tpno value=16633
 set name=info.classification \
     value=org.opensolaris.category.2008:Applications/Internet \
     value=org.opensolaris.category.2008:System/Security
@@ -51,32 +51,18 @@
     mediator-implementation=openssh
 link path=usr/bin/ssh-keyscan target=../lib/openssh/bin/ssh-keyscan \
     mediator=ssh mediator-implementation=openssh
-# RUNPATH pkglint checking (userland.action001.3) ERRORs on these ELF files
-# are changed to INFO messages; remove this bypass when
-# usr/local/lib is removed from their runpaths
-file usr/bin/scp path=usr/lib/openssh/bin/scp mode=0555 \
-    pkg.linted.userland.action001.3=true
-file usr/bin/sftp path=usr/lib/openssh/bin/sftp mode=0555 \
-    pkg.linted.userland.action001.3=true
-file usr/bin/ssh path=usr/lib/openssh/bin/ssh mode=0555 \
-    pkg.linted.userland.action001.3=true
-file usr/bin/ssh-add path=usr/lib/openssh/bin/ssh-add mode=0555 \
-    pkg.linted.userland.action001.3=true
-file usr/bin/ssh-agent path=usr/lib/openssh/bin/ssh-agent mode=2555 \
-    pkg.linted.userland.action001.3=true
-file usr/bin/ssh-keygen path=usr/lib/openssh/bin/ssh-keygen mode=0555 \
-    pkg.linted.userland.action001.3=true
-file usr/bin/ssh-keyscan path=usr/lib/openssh/bin/ssh-keyscan mode=0555 \
-    pkg.linted.userland.action001.3=true
-file usr/lib/ssh/sftp-server path=usr/lib/openssh/lib/sftp-server mode=0555 \
-    pkg.linted.userland.action001.3=true
-file usr/lib/ssh/ssh-keysign path=usr/lib/openssh/lib/ssh-keysign mode=4555 \
-    pkg.linted.userland.action001.3=true
-file usr/lib/ssh/ssh-pkcs11-helper path=usr/lib/openssh/lib/ssh-pkcs11-helper \ 
-    mode=0555 \
-    pkg.linted.userland.action001.3=true
-file usr/lib/ssh/sshd path=usr/lib/openssh/lib/sshd mode=0555 \
-    pkg.linted.userland.action001.3=true
+file usr/bin/scp path=usr/lib/openssh/bin/scp mode=0555
+file usr/bin/sftp path=usr/lib/openssh/bin/sftp mode=0555
+file usr/bin/ssh path=usr/lib/openssh/bin/ssh mode=0555
+file usr/bin/ssh-add path=usr/lib/openssh/bin/ssh-add mode=0555
+file usr/bin/ssh-agent path=usr/lib/openssh/bin/ssh-agent mode=2555
+file usr/bin/ssh-keygen path=usr/lib/openssh/bin/ssh-keygen mode=0555
+file usr/bin/ssh-keyscan path=usr/lib/openssh/bin/ssh-keyscan mode=0555
+file usr/lib/ssh/sftp-server path=usr/lib/openssh/lib/sftp-server mode=0555
+file usr/lib/ssh/ssh-keysign path=usr/lib/openssh/lib/ssh-keysign mode=4555
+file usr/lib/ssh/ssh-pkcs11-helper path=usr/lib/openssh/lib/ssh-pkcs11-helper \
+    mode=0555
+file usr/lib/ssh/sshd path=usr/lib/openssh/lib/sshd mode=0555
 link path=usr/lib/ssh/sftp-server target=../openssh/lib/sftp-server \
     mediator=ssh mediator-implementation=openssh
 link path=usr/lib/ssh/ssh-keysign target=../openssh/lib/ssh-keysign \
--- a/components/openssh/patches/004-broken_bsm_api.patch	Thu Mar 27 12:02:39 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
-#
-# OpenSSH has special hacks in the code to deal with Solaris private API
-# changes in audit (au_close, getacna) for S11. This patch merely modifies the
-# configure script to consider any S11+ a 'newer Solaris' too, not just S11.
-#
-# We reported this problem to the OpenSSH upstream community on Dec 06 2013.
-# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2178
-#
---- openssh-6.0p1/configure	2012-04-19 22:03:38.000000000 -0700
-+++ new/configure	2013-01-10 03:10:29.200564881 -0800
[email protected]@ -9393,7 +9393,7 @@
- 
- $as_echo "#define USE_BSM_AUDIT 1" >>confdefs.h
- 
--		if test "$sol2ver" -eq 11; then
-+		if test "$sol2ver" -ge 11; then
- 		   	SSHDLIBS="$SSHDLIBS -lscf"
- 
- $as_echo "#define BROKEN_BSM_API 1" >>confdefs.h
---- openssh-6.0p1/configure.ac	2013-12-05 05:31:15.809371483 -0800
-+++ new/configure.ac	2013-12-05 05:31:25.689099600 -0800
[email protected]@ -1483,7 +1483,7 @@
- 		# These are optional
- 		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
- 		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
--		if test "$sol2ver" -eq 11; then
-+		if test "$sol2ver" -ge 11; then
- 		   	SSHDLIBS="$SSHDLIBS -lscf"
-                    	AC_DEFINE([BROKEN_BSM_API], [1], 
- 		        	  [The system has incomplete BSM API])
--- a/components/openssh/patches/005-openssh_krb5_build_fix.patch	Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/patches/005-openssh_krb5_build_fix.patch	Thu Mar 27 19:40:44 2014 -0700
@@ -2,62 +2,28 @@
 # This is to work around an unresloved symbol problem with the Kerberos
 # build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function
 # is not supported on Solaris, because it violates API abstraction. This
-# workaround disables delegated credentials storing on server side.  
+# workaround disables delegated credentials storing on server side.
 #
 # The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos
-# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project). 
+# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project).
 # After that, function gss_krb5_copy_ccache() will be available in Solaris and
 # the delegating credentials functionality will be made available using the
 # upstream code.
 #
-diff -ur old/configure new/configure
---- old/configure	2012-10-22 01:40:00.738542671 -0700
-+++ new/configure	2012-10-22 02:18:52.991019932 -0700
[email protected]@ -15022,6 +15022,12 @@
- 			fi
- 			K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"
- 			K5LIBS="`$KRB5CONF --libs $k5confopts`"
-+
-+			# Oracle Solaris
-+			# OpenSSH is mixed-up gssapi AND krb5 aplication
-+			K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
-+			K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
-+
- 			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
- 			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
- $as_echo_n "checking whether we are using Heimdal... " >&6; }
-diff -ru old/ssh-gss.h new/ssh-gss.h
---- old/ssh-gss.h	2012-10-22 02:42:41.469718263 -0700
-+++ new/ssh-gss.h	2012-10-22 02:52:00.222302785 -0700
[email protected]@ -45,7 +45,13 @@
- /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
- 
- #ifndef GSS_C_NT_HOSTBASED_SERVICE
-+/* 
-+ * on Solaris in gssapi.h there is: 
-+ *     extern const gss_OID GSS_C_NT_HOSTBASED_SERVICE; 
-+ */
-+#ifndef KRB5_BUILD_FIX
- #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
-+#endif /* KRB5_BUILD_FIX */
- #endif /* GSS_C_NT_... */
- #endif /* !HEIMDAL */
- #endif /* KRB5 */
-diff -u -r old/auth2-gss.c new/auth2-gss.c
---- old/auth2-gss.c	2011-05-04 21:04:11.000000000 -0700
-+++ new/auth2-gss.c	2012-10-25 02:57:42.332456661 -0700
+--- orig/auth2-gss.c	Fri Mar 21 10:41:03 2014
++++ new/auth2-gss.c	Fri Mar 21 11:13:57 2014
 @@ -47,6 +47,10 @@
  
  extern ServerOptions options;
  
 +#ifdef KRB5_BUILD_FIX
-+	extern gss_OID_set g_supported;
++        extern gss_OID_set g_supported;
 +#endif
 +
  static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
  static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
  static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
[email protected]@ -77,7 +81,12 @@
[email protected]@ -77,7 +81,13 @@
  		return (0);
  	}
  
@@ -67,13 +33,28 @@
 +#else
  	ssh_gssapi_supported_oids(&supported);
 +#endif
++
  	do {
  		mechs--;
  
-diff -u -r old/sshd.c new/sshd.c
---- old/sshd.c	2012-10-22 01:28:17.260247177 -0700
-+++ new/sshd.c	2012-10-25 02:53:41.663248837 -0700
[email protected]@ -257,6 +257,11 @@
+--- orig/configure	Fri Mar 21 10:41:03 2014
++++ new/configure	Fri Mar 21 11:02:11 2014
[email protected]@ -16634,6 +16634,12 @@
+ 				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+ 			fi
++
++			# Oracle Solaris
++			# OpenSSH is mixed-up gssapi AND krb5 aplication
++			K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
++			K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
++
+ 			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
+ $as_echo_n "checking whether we are using Heimdal... " >&6; }
+ 			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+--- orig/sshd.c	Fri Mar 21 10:41:03 2014
++++ new/sshd.c	Fri Mar 21 11:09:30 2014
[email protected]@ -259,6 +259,11 @@
  /* Unprivileged user */
  struct passwd *privsep_pw = NULL;
  
@@ -85,17 +66,18 @@
  /* Prototypes for various functions defined later in this file. */
  void destroy_sensitive_data(void);
  void demote_sensitive_data(void);
[email protected]@ -1351,6 +1356,9 @@
- 	compat_init_setproctitle(ac, av);
[email protected]@ -1407,6 +1412,10 @@
  	av = saved_argv;
  #endif
+ 
 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
 +	OM_uint32 ms;
 +#endif
- 
++
  	if (geteuid() == 0 && setgroups(0, NULL) == -1)
  		debug("setgroups(): %.200s", strerror(errno));
[email protected]@ -1984,6 +1992,11 @@
+ 
[email protected]@ -2083,6 +2092,11 @@
  	buffer_init(&loginmsg);
  	auth_debug_reset();
  
@@ -104,16 +86,17 @@
 +	ssh_gssapi_supported_oids(&g_supported);
 +#endif
 +
- 	if (use_privsep)
+ 	if (use_privsep) {
  		if (privsep_preauth(authctxt) == 1)
  			goto authenticated;
[email protected]@ -2018,6 +2031,9 @@
- 		close(startup_pipe);
[email protected]@ -2120,6 +2134,10 @@
  		startup_pipe = -1;
  	}
+ 
 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
 +	gss_release_oid_set(&ms, &g_supported);
 +#endif 
- 
++
  #ifdef SSH_AUDIT_EVENTS
  	audit_event(SSH_AUTH_SUCCESS);
+ #endif
--- a/components/openssh/patches/006-umac_align_fix.patch	Thu Mar 27 12:02:39 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,49 +0,0 @@
-#
-# This is to fix an alignment problem on Sparc.  We reported the problem to the
-# OpenSSH upstream community with suggested fixes in May 2013. The upstream 
-# accepted the union fix and has integrated the fix in the 6.3 release. In the 
-# future, when we upgrade OpenSSH to 6.3 or later, we should remove this patch.
-# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2101
-#
---- orig/mac.c	Fri Sep 20 14:53:41 2013
-+++ new/mac.c	Fri Sep 20 15:04:13 2013
[email protected]@ -132,12 +132,15 @@
- u_char *
- mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
- {
--	static u_char m[EVP_MAX_MD_SIZE];
-+	static union {
-+		u_char m[EVP_MAX_MD_SIZE];
-+		u_int64_t for_align;
-+	} u;
- 	u_char b[4], nonce[8];
- 
--	if (mac->mac_len > sizeof(m))
-+	if (mac->mac_len > sizeof(u))
- 		fatal("mac_compute: mac too long %u %lu",
--		    mac->mac_len, (u_long)sizeof(m));
-+		    mac->mac_len, (u_long)sizeof(u));
- 
- 	switch (mac->type) {
- 	case SSH_EVP:
[email protected]@ -146,17 +149,17 @@
- 		HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
- 		HMAC_Update(&mac->evp_ctx, b, sizeof(b));
- 		HMAC_Update(&mac->evp_ctx, data, datalen);
--		HMAC_Final(&mac->evp_ctx, m, NULL);
-+		HMAC_Final(&mac->evp_ctx, u.m, NULL);
- 		break;
- 	case SSH_UMAC:
- 		put_u64(nonce, seqno);
- 		umac_update(mac->umac_ctx, data, datalen);
--		umac_final(mac->umac_ctx, m, nonce);
-+		umac_final(mac->umac_ctx, u.m, nonce);
- 		break;
- 	default:
- 		fatal("mac_compute: unknown MAC type");
- 	}
--	return (m);
-+	return (u.m);
- }
- 
- void
--- a/components/openssh/patches/007-manpages.patch	Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/patches/007-manpages.patch	Thu Mar 27 19:40:44 2014 -0700
@@ -5,12 +5,12 @@
 # pages, the section numbers of some OpenSSH man pages are changed to be as 
 # same as their corresponding ones in SunSSH.
 #
---- orig/moduli.5	Thu Jan 10 15:04:00 2013
-+++ new/moduli.5	Thu Jan 10 17:25:53 2013
+--- orig/moduli.5	Thu Feb  6 10:00:17 2014
++++ new/moduli.5	Thu Feb  6 10:08:07 2014
 @@ -14,7 +14,7 @@
  .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- .Dd $Mdocdate: October 14 2010 $
+ .Dd $Mdocdate: September 26 2012 $
 -.Dt MODULI 5
 +.Dt MODULI 4
  .Os
@@ -60,21 +60,21 @@
  .Xr ssh-keygen 1 ,
 -.Xr sshd 8
 +.Xr sshd 1M
+ .Sh STANDARDS
  .Rs
- .%R RFC 4419
- .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
---- orig/sftp-server.8	Thu Jan 10 15:04:00 2013
-+++ new/sftp-server.8	Thu Jan 10 15:48:21 2013
+ .%A M. Friedl
+--- orig/sftp-server.8	Thu Feb  6 10:01:20 2014
++++ new/sftp-server.8	Thu Feb  6 10:09:59 2014
 @@ -23,7 +23,7 @@
  .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  .\"
- .Dd $Mdocdate: January 9 2010 $
+ .Dd $Mdocdate: October 14 2013 $
 -.Dt SFTP-SERVER 8
 +.Dt SFTP-SERVER 1M
  .Os
  .Sh NAME
  .Nm sftp-server
[email protected]@ -40,7 +40,7 @@
[email protected]@ -47,7 +47,7 @@
  to stdout and expects client requests from stdin.
  .Nm
  is not intended to be called directly, but from
@@ -83,7 +83,7 @@
  using the
  .Cm Subsystem
  option.
[email protected]@ -51,7 +51,7 @@
[email protected]@ -58,7 +58,7 @@
  .Cm Subsystem
  declaration.
  See
@@ -92,7 +92,16 @@
  for more information.
  .Pp
  Valid options are:
[email protected]@ -106,8 +106,8 @@
[email protected]@ -71,7 +71,7 @@
+ and %u is replaced by the username of that user.
+ The default is to use the user's home directory.
+ This option is useful in conjunction with the
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ .Cm ChrootDirectory
+ option.
+ .It Fl e
[email protected]@ -152,8 +152,8 @@
  .Sh SEE ALSO
  .Xr sftp 1 ,
  .Xr ssh 1 ,
@@ -103,18 +112,18 @@
  .Rs
  .%A T. Ylonen
  .%A S. Lehtinen
---- orig/ssh_config.5	Thu Jan 10 15:04:00 2013
-+++ new/ssh_config.5	Thu Jan 10 15:48:48 2013
+--- orig/ssh_config.5	Thu Feb  6 10:01:20 2014
++++ new/ssh_config.5	Thu Mar 27 16:37:50 2014
 @@ -35,7 +35,7 @@
  .\"
- .\" $OpenBSD: ssh_config.5,v 1.154 2011/09/09 00:43:00 djm Exp $
- .Dd $Mdocdate: September 9 2011 $
+ .\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $
+ .Dd $Mdocdate: January 19 2014 $
 -.Dt SSH_CONFIG 5
 +.Dt SSH_CONFIG 4
  .Os
  .Sh NAME
  .Nm ssh_config
[email protected]@ -353,7 +353,7 @@
[email protected]@ -503,7 +503,7 @@
  .Dq Fl O No exit
  option).
  If set to a time in seconds, or a time in any of the formats documented in
@@ -123,16 +132,16 @@
  then the backgrounded master connection will automatically terminate
  after it has remained idle (with no client connections) for the
  specified time.
[email protected]@ -473,7 +473,7 @@
[email protected]@ -622,7 +622,7 @@
+ Specify a timeout for untrusted X11 forwarding
  using the format described in the
- .Sx TIME FORMATS
- section of
+ TIME FORMATS section of
 -.Xr sshd_config 5 .
 +.Xr sshd_config 4 .
  X11 connections received by
  .Xr ssh 1
  after this time will be refused.
[email protected]@ -540,7 +540,7 @@
[email protected]@ -689,7 +689,7 @@
  These hashed names may be used normally by
  .Xr ssh 1
  and
@@ -141,16 +150,16 @@
  but they do not reveal identifying information should the file's contents
  be disclosed.
  The default is
[email protected]@ -885,7 +885,7 @@
- The command can be basically anything,
- and should read from its standard input and write to its standard output.
- It should eventually connect an
--.Xr sshd 8
-+.Xr sshd 1M
- server running on some machine, or execute
- .Ic sshd -i
- somewhere.
[email protected]@ -967,7 +967,7 @@
[email protected]@ -1122,7 +1122,7 @@
+ The optional second value is specified in seconds and may use any of the
+ units documented in the
+ TIME FORMATS section of
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ The default value for
+ .Cm RekeyLimit
+ is
[email protected]@ -1166,7 +1166,7 @@
  will only succeed if the server's
  .Cm GatewayPorts
  option is enabled (see
@@ -159,7 +168,7 @@
  .It Cm RequestTTY
  Specifies whether to request a pseudo-tty for the session.
  The argument may be one of:
[email protected]@ -1019,7 +1019,7 @@
[email protected]@ -1218,7 +1218,7 @@
  Refer to
  .Cm AcceptEnv
  in
@@ -168,12 +177,12 @@
  for how to configure the server.
  Variables are specified by name, which may contain wildcard characters.
  Multiple environment variables may be separated by whitespace or spread
---- orig/ssh-keysign.8	Thu Jan 10 15:04:00 2013
-+++ new/ssh-keysign.8	Thu Jan 10 15:49:23 2013
+--- orig/ssh-keysign.8	Thu Feb  6 10:01:20 2014
++++ new/ssh-keysign.8	Thu Feb  6 10:13:05 2014
 @@ -23,7 +23,7 @@
  .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  .\"
- .Dd $Mdocdate: August 31 2010 $
+ .Dd $Mdocdate: December 7 2013 $
 -.Dt SSH-KEYSIGN 8
 +.Dt SSH-KEYSIGN 1M
  .Os
@@ -188,7 +197,7 @@
  for more information about host-based authentication.
  .Sh FILES
  .Bl -tag -width Ds -compact
[email protected]@ -81,8 +81,8 @@
[email protected]@ -83,8 +83,8 @@
  .Sh SEE ALSO
  .Xr ssh 1 ,
  .Xr ssh-keygen 1 ,
@@ -199,23 +208,23 @@
  .Sh HISTORY
  .Nm
  first appeared in
---- orig/ssh-pkcs11-helper.8	Thu Jan 10 15:04:00 2013
-+++ new/ssh-pkcs11-helper.8	Thu Jan 10 15:49:48 2013
+--- orig/ssh-pkcs11-helper.8	Thu Feb  6 10:01:20 2014
++++ new/ssh-pkcs11-helper.8	Thu Feb  6 10:14:40 2014
 @@ -15,7 +15,7 @@
  .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  .\"
- .Dd $Mdocdate: February 10 2010 $
+ .Dd $Mdocdate: July 16 2013 $
 -.Dt SSH-PKCS11-HELPER 8
 +.Dt SSH-PKCS11-HELPER 1M
  .Os
  .Sh NAME
  .Nm ssh-pkcs11-helper
---- orig/sshd_config.5	Thu Jan 10 15:04:00 2013
-+++ new/sshd_config.5	Fri Jan 11 15:56:09 2013
+--- orig/sshd_config.5	Thu Feb  6 10:01:20 2014
++++ new/sshd_config.5	Thu Feb  6 10:17:21 2014
 @@ -35,7 +35,7 @@
  .\"
- .\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $
- .Dd $Mdocdate: September 9 2011 $
+ .\" $OpenBSD: sshd_config.5,v 1.170 2013/12/08 09:53:27 dtucker Exp $
+ .Dd $Mdocdate: December 8 2013 $
 -.Dt SSHD_CONFIG 5
 +.Dt SSHD_CONFIG 4
  .Os
@@ -248,43 +257,52 @@
  Valid arguments are
  .Dq any ,
  .Dq inet
[email protected]@ -120,7 +120,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -118,7 +118,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
 -.Xr ssh_config 5
 +.Xr ssh_config 4
  for more information on patterns.
  .It Cm AllowTcpForwarding
  Specifies whether TCP forwarding is permitted.
[email protected]@ -149,7 +149,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -158,7 +158,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
 -.Xr ssh_config 5
 +.Xr ssh_config 4
  for more information on patterns.
- .It Cm AuthorizedKeysFile
- Specifies the file that contains the public keys that can be used
[email protected]@ -157,7 +157,7 @@
+ .It Cm AuthenticationMethods
+ Specifies the authentication methods that must be successfully completed
[email protected]@ -202,7 +202,7 @@
+ It will be invoked with a single argument of the username
+ being authenticated, and should produce on standard output zero or
+ more lines of authorized_keys output (see AUTHORIZED_KEYS in
+-.Xr sshd 8 ) .
++.Xr sshd 1M ) .
+ If a key supplied by AuthorizedKeysCommand does not successfully authenticate
+ and authorize the user then public key authentication continues using the usual
+ .Cm AuthorizedKeysFile
[email protected]@ -218,7 +218,7 @@
  The format is described in the
- .Sx AUTHORIZED_KEYS FILE FORMAT
+ AUTHORIZED_KEYS FILE FORMAT
  section of
 -.Xr sshd 8 .
 +.Xr sshd 1M .
  .Cm AuthorizedKeysFile
  may contain tokens of the form %T which are substituted during connection
  setup.
[email protected]@ -182,7 +182,7 @@
- in
- .Sx AUTHORIZED_KEYS FILE FORMAT
- in
[email protected]@ -241,7 +241,7 @@
+ to be accepted for authentication.
+ Names are listed one per line preceded by key options (as described
+ in AUTHORIZED_KEYS FILE FORMAT in
 -.Xr sshd 8 ) .
 +.Xr sshd 1M ) .
  Empty lines and comments starting with
  .Ql #
  are ignored.
[email protected]@ -210,7 +210,7 @@
[email protected]@ -271,7 +271,7 @@
  though the
  .Cm principals=
  key option offers a similar facility (see
@@ -293,7 +311,7 @@
  for details).
  .It Cm Banner
  The contents of the specified file are sent to the remote user before
[email protected]@ -233,7 +233,7 @@
[email protected]@ -294,7 +294,7 @@
  All components of the pathname must be root-owned directories that are
  not writable by any other user or group.
  After the chroot,
@@ -302,16 +320,7 @@
  changes the working directory to the user's home directory.
  .Pp
  The pathname may contain the following tokens that are expanded at runtime once
[email protected]@ -266,7 +266,7 @@
- though sessions which use logging do require
- .Pa /dev/log
- inside the chroot directory (see
--.Xr sftp-server 8
-+.Xr sftp-server 1M
- for details).
- .Pp
- The default is not to
[email protected]@ -297,7 +297,7 @@
[email protected]@ -370,7 +370,7 @@
  .It Cm ClientAliveCountMax
  Sets the number of client alive messages (see below) which may be
  sent without
@@ -320,7 +329,7 @@
  receiving any messages back from the client.
  If this threshold is reached while client alive messages are being sent,
  sshd will disconnect the client, terminating the session.
[email protected]@ -324,7 +324,7 @@
[email protected]@ -397,7 +397,7 @@
  .It Cm ClientAliveInterval
  Sets a timeout interval in seconds after which if no data has been received
  from the client,
@@ -329,25 +338,25 @@
  will send a message through the encrypted
  channel to request a response from the client.
  The default
[email protected]@ -357,7 +357,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -428,7 +428,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
 -.Xr ssh_config 5
 +.Xr ssh_config 4
  for more information on patterns.
  .It Cm DenyUsers
  This keyword can be followed by a list of user name patterns, separated
[email protected]@ -378,7 +378,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -447,7 +447,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
 -.Xr ssh_config 5
 +.Xr ssh_config 4
  for more information on patterns.
  .It Cm ForceCommand
  Forces the execution of the command specified by
[email protected]@ -403,7 +403,7 @@
[email protected]@ -472,7 +472,7 @@
  Specifies whether remote hosts are allowed to connect to ports
  forwarded for the client.
  By default,
@@ -356,7 +365,7 @@
  binds remote port forwardings to the loopback address.
  This prevents other remote hosts from connecting to forwarded ports.
  .Cm GatewayPorts
[email protected]@ -451,7 +451,7 @@
[email protected]@ -520,7 +520,7 @@
  A setting of
  .Dq yes
  means that
@@ -365,7 +374,7 @@
  uses the name supplied by the client rather than
  attempting to resolve the name from the TCP connection itself.
  The default is
[email protected]@ -462,7 +462,7 @@
[email protected]@ -531,7 +531,7 @@
  by
  .Cm HostKey .
  The default behaviour of
@@ -374,7 +383,7 @@
  is not to load any certificates.
  .It Cm HostKey
  Specifies a file containing a private host key
[email protected]@ -476,7 +476,7 @@
[email protected]@ -546,7 +546,7 @@
  .Pa /etc/ssh/ssh_host_rsa_key
  for protocol version 2.
  Note that
@@ -383,7 +392,7 @@
  will refuse to use a file if it is group/world-accessible.
  It is possible to have multiple host key files.
  .Dq rsa1
[email protected]@ -504,7 +504,7 @@
[email protected]@ -587,7 +587,7 @@
  .Dq yes .
  .It Cm IgnoreUserKnownHosts
  Specifies whether
@@ -392,16 +401,7 @@
  should ignore the user's
  .Pa ~/.ssh/known_hosts
  during
[email protected]@ -580,7 +580,7 @@
- Multiple algorithms must be comma-separated.
- The default is
- .Dq ecdh-sha2-nistp256 ,
--.Dq ecdh-sha2-nistp384 ,
-+.Dq ecdh-sha2-nistp834 ,
- .Dq ecdh-sha2-nistp521 ,
- .Dq diffie-hellman-group-exchange-sha256 ,
- .Dq diffie-hellman-group-exchange-sha1 ,
[email protected]@ -597,7 +597,7 @@
[email protected]@ -681,7 +681,7 @@
  The default is 3600 (seconds).
  .It Cm ListenAddress
  Specifies the local addresses
@@ -410,7 +410,7 @@
  should listen on.
  The following forms may be used:
  .Pp
[email protected]@ -640,7 +640,7 @@
[email protected]@ -724,7 +724,7 @@
  The default is 120 seconds.
  .It Cm LogLevel
  Gives the verbosity level that is used when logging messages from
@@ -419,16 +419,16 @@
  The possible values are:
  QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
  The default is INFO.
[email protected]@ -681,7 +681,7 @@
[email protected]@ -776,7 +776,7 @@
+ The match patterns may consist of single entries or comma-separated
  lists and may use the wildcard and negation operators described in the
- .Sx PATTERNS
- section of
+ PATTERNS section of
 -.Xr ssh_config 5 .
 +.Xr ssh_config 4 .
  .Pp
  The patterns in an
  .Cm Address
[email protected]@ -751,7 +751,7 @@
[email protected]@ -856,7 +856,7 @@
  the three colon separated values
  .Dq start:rate:full
  (e.g. "10:30:60").
@@ -437,7 +437,7 @@
  will refuse connection attempts with a probability of
  .Dq rate/100
  (30%)
[email protected]@ -855,7 +855,7 @@
[email protected]@ -969,7 +969,7 @@
  options in
  .Pa ~/.ssh/authorized_keys
  are processed by
@@ -446,7 +446,7 @@
  The default is
  .Dq no .
  Enabling environment processing may enable users to bypass access
[email protected]@ -868,7 +868,7 @@
[email protected]@ -982,7 +982,7 @@
  .Pa /var/run/sshd.pid .
  .It Cm Port
  Specifies the port number that
@@ -455,7 +455,7 @@
  listens on.
  The default is 22.
  Multiple options of this type are permitted.
[email protected]@ -876,7 +876,7 @@
[email protected]@ -990,7 +990,7 @@
  .Cm ListenAddress .
  .It Cm PrintLastLog
  Specifies whether
@@ -464,7 +464,7 @@
  should print the date and time of the last user login when a user logs
  in interactively.
  The default is
[email protected]@ -883,7 +883,7 @@
[email protected]@ -997,7 +997,7 @@
  .Dq yes .
  .It Cm PrintMotd
  Specifies whether
@@ -473,13 +473,8 @@
  should print
  .Pa /etc/motd
  when a user logs in interactively.
[email protected]@ -891,10 +891,11 @@
- .Pa /etc/profile ,
- or equivalent.)
- The default is
--.Dq yes .
-+.Dq no
-+on Solaris.
[email protected]@ -1008,7 +1008,7 @@
+ .Dq yes .
  .It Cm Protocol
  Specifies the protocol versions
 -.Xr sshd 8
@@ -487,7 +482,7 @@
  supports.
  The possible values are
  .Sq 1
[email protected]@ -936,7 +937,7 @@
[email protected]@ -1081,7 +1081,7 @@
  The minimum value is 512, and the default is 1024.
  .It Cm StrictModes
  Specifies whether
@@ -496,16 +491,7 @@
  should check file modes and ownership of the
  user's files and home directory before accepting login.
  This is normally desirable because novices sometimes accidentally leave their
[email protected]@ -952,7 +953,7 @@
- to execute upon subsystem request.
- .Pp
- The command
--.Xr sftp-server 8
-+.Xr sftp-server 1M
- implements the
- .Dq sftp
- file transfer subsystem.
[email protected]@ -970,7 +971,7 @@
[email protected]@ -1115,7 +1115,7 @@
  Note that this option applies to protocol version 2 only.
  .It Cm SyslogFacility
  Gives the facility code that is used when logging messages from
@@ -514,7 +500,7 @@
  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
  The default is AUTH.
[email protected]@ -1013,7 +1014,7 @@
[email protected]@ -1156,7 +1156,7 @@
  .Xr ssh-keygen 1 .
  .It Cm UseDNS
  Specifies whether
@@ -523,7 +509,7 @@
  should look up the remote host name and check that
  the resolved host name for the remote IP address maps back to the
  very same IP address.
[email protected]@ -1058,13 +1059,14 @@
[email protected]@ -1201,13 +1201,13 @@
  If
  .Cm UsePAM
  is enabled, you will not be able to run
@@ -531,9 +517,7 @@
 +.Xr sshd 1M
  as a non-root user.
  The default is
--.Dq no .
-+.Dq yes
-+on Solaris.
+ .Dq no .
  .It Cm UsePrivilegeSeparation
  Specifies whether
 -.Xr sshd 8
@@ -541,8 +525,8 @@
  separates privileges by creating an unprivileged child process
  to deal with incoming network traffic.
  After successful authentication, another process will be created that has
[email protected]@ -1081,7 +1083,7 @@
- restrictions.
[email protected]@ -1229,7 +1229,7 @@
+ .Dq none .
  .It Cm X11DisplayOffset
  Specifies the first display number available for
 -.Xr sshd 8 Ns 's
@@ -550,7 +534,7 @@
  X11 forwarding.
  This prevents sshd from interfering with real X11 servers.
  The default is 10.
[email protected]@ -1096,7 +1098,7 @@
[email protected]@ -1244,7 +1244,7 @@
  .Pp
  When X11 forwarding is enabled, there may be additional exposure to
  the server and to client displays if the
@@ -559,7 +543,7 @@
  proxy display is configured to listen on the wildcard address (see
  .Cm X11UseLocalhost
  below), though this is not the default.
[email protected]@ -1107,7 +1109,7 @@
[email protected]@ -1255,7 +1255,7 @@
  forwarding (see the warnings for
  .Cm ForwardX11
  in
@@ -568,7 +552,7 @@
  A system administrator may have a stance in which they want to
  protect clients that may expose themselves to attack by unwittingly
  requesting X11 forwarding, which can warrant a
[email protected]@ -1121,7 +1123,7 @@
[email protected]@ -1269,7 +1269,7 @@
  is enabled.
  .It Cm X11UseLocalhost
  Specifies whether
@@ -577,7 +561,7 @@
  should bind the X11 forwarding server to the loopback address or to
  the wildcard address.
  By default,
[email protected]@ -1152,7 +1154,7 @@
[email protected]@ -1300,7 +1300,7 @@
  .Pa /usr/X11R6/bin/xauth .
  .El
  .Sh TIME FORMATS
@@ -586,7 +570,7 @@
  command-line arguments and configuration file options that specify time
  may be expressed using a sequence of the form:
  .Sm off
[email protected]@ -1196,12 +1198,12 @@
[email protected]@ -1344,12 +1344,12 @@
  .Bl -tag -width Ds
  .It Pa /etc/ssh/sshd_config
  Contains configuration data for
@@ -601,18 +585,18 @@
  .Sh AUTHORS
  OpenSSH is a derivative of the original and free
  ssh 1.2.12 release by Tatu Ylonen.
---- orig/sshd.8	Thu Jan 10 15:04:00 2013
-+++ new/sshd.8	Thu Jan 10 15:53:31 2013
+--- orig/sshd.8	Thu Feb  6 10:01:20 2014
++++ new/sshd.8	Thu Feb  6 10:22:35 2014
 @@ -35,7 +35,7 @@
  .\"
- .\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $
- .Dd $Mdocdate: September 23 2011 $
+ .\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
+ .Dd $Mdocdate: December 7 2013 $
 -.Dt SSHD 8
 +.Dt SSHD 1M
  .Os
  .Sh NAME
  .Nm sshd
[email protected]@ -79,7 +79,7 @@
[email protected]@ -80,7 +80,7 @@
  .Nm
  can be configured using command-line options or a configuration file
  (by default
@@ -621,7 +605,7 @@
  command-line options override values specified in the
  configuration file.
  .Nm
[email protected]@ -204,7 +204,7 @@
[email protected]@ -210,7 +210,7 @@
  This is useful for specifying options for which there is no separate
  command-line flag.
  For full details of the options, and their values, see
@@ -630,16 +614,16 @@
  .It Fl p Ar port
  Specifies the port on which the server listens for connections
  (default 22).
[email protected]@ -274,7 +274,7 @@
[email protected]@ -280,7 +280,7 @@
  though this can be changed via the
  .Cm Protocol
  option in
 -.Xr sshd_config 5 .
 +.Xr sshd_config 4 .
- Protocol 2 supports DSA, ECDSA and RSA keys;
+ Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
  protocol 1 only supports RSA keys.
  For both protocols,
[email protected]@ -399,7 +399,7 @@
[email protected]@ -405,7 +405,7 @@
  See the
  .Cm PermitUserEnvironment
  option in
@@ -648,7 +632,7 @@
  .It
  Changes to user's home directory.
  .It
[email protected]@ -542,7 +542,7 @@
[email protected]@ -550,7 +550,7 @@
  environment variable.
  Note that this option applies to shell, command or subsystem execution.
  Also note that this command may be superseded by either a
@@ -657,16 +641,16 @@
  .Cm ForceCommand
  directive or a command embedded in a certificate.
  .It Cm environment="NAME=value"
[email protected]@ -565,7 +565,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -571,7 +571,7 @@
+ name of the remote host or its IP address must be present in the
+ comma-separated list of patterns.
+ See PATTERNS in
 -.Xr ssh_config 5
 +.Xr ssh_config 4
  for more information on patterns.
  .Pp
  In addition to the wildcard matching that may be applied to hostnames or
[email protected]@ -859,7 +859,7 @@
[email protected]@ -865,7 +865,7 @@
  .It Pa /etc/moduli
  Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
  The file format is described in
@@ -675,7 +659,7 @@
  .Pp
  .It Pa /etc/motd
  See
[email protected]@ -918,7 +918,7 @@
[email protected]@ -926,7 +926,7 @@
  Contains configuration data for
  .Nm sshd .
  The file format and configuration options are described in
@@ -684,7 +668,7 @@
  .Pp
  .It Pa /etc/ssh/sshrc
  Similar to
[email protected]@ -954,10 +954,10 @@
[email protected]@ -962,10 +962,10 @@
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
  .Xr login.conf 5 ,
--- a/components/openssh/patches/008-deprecate_sunssh_opt.patch	Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/patches/008-deprecate_sunssh_opt.patch	Thu Mar 27 19:40:44 2014 -0700
@@ -6,32 +6,31 @@
 # changed from deprecated to supported. Since this is for Solaris only, we will
 # not contribute back this change to the upstream community.
 #
---- orig/readconf.c	Thu Nov 15 13:32:50 2012
-+++ new/readconf.c	Wed Mar 27 14:51:55 2013
[email protected]@ -246,7 +246,26 @@
- 	{ "kexalgorithms", oKexAlgorithms },
- 	{ "ipqos", oIPQoS },
- 	{ "requesttty", oRequestTTY },
+--- orig/readconf.c	Wed Feb  5 17:16:20 2014
++++ new/readconf.c	Fri Mar 14 09:52:42 2014
[email protected]@ -267,7 +267,25 @@
+ 	{ "canonicalizemaxdots", oCanonicalizeMaxDots },
+ 	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
+ 	{ "ignoreunknown", oIgnoreUnknown },
 -
 +#ifdef DEPRECATE_SUNSSH_OPT
-+	/* 
-+	 * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
-+	 * as possible, we will deprecate SunSSH-only options in OpenSSH. 
-+	 * Therefore, on a system that is running OpenSSH with a deprecated
-+	 * option from the user's config file (~/.ssh/config), the ssh
-+	 * connection will proceed without the deprecated option. Note that
-+	 * this is an interim enhancement to OpenSSH to make the transition
-+	 * smoother.  If a deprecated SunSSH-only option is migrated to OpenSSH
-+	 * later, then it will be changed from deprecated to supported.
-+	 */
-+	{ "disablebanner", oDeprecated },
-+	{ "gssapikeyexchange", oDeprecated },
-+	{ "ignoreifunknown", oDeprecated },
-+	{ "kmfpolicydatabase", oDeprecated },
-+	{ "kmfpolicyname", oDeprecated },
-+	{ "trustedanchorkeystore", oDeprecated },
-+	{ "usefips140", oDeprecated },
-+	{ "useopensslengine", oDeprecated },
++        /*
++         * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
++         * as possible, we will deprecate SunSSH-only options in OpenSSH.
++         * Therefore, on a system that is running OpenSSH with a deprecated
++         * option from the user's config file (~/.ssh/config), the ssh
++         * connection will proceed without the deprecated option. Note that
++         * this is an interim enhancement to OpenSSH to make the transition
++         * smoother.  If a deprecated SunSSH-only option is migrated to OpenSSH
++         * later, then it will be changed from deprecated to supported.
++         */
++        { "disablebanner", oDeprecated },
++        { "gssapikeyexchange", oDeprecated },
++        { "kmfpolicydatabase", oDeprecated },
++        { "kmfpolicyname", oDeprecated },
++        { "trustedanchorkeystore", oDeprecated },
++        { "usefips140", oDeprecated },
++        { "useopensslengine", oDeprecated },
 +#endif
  	{ NULL, oBadOption }
  };
--- a/components/openssh/patches/009-CVE-2010-5107.patch	Thu Mar 27 12:02:39 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,44 +0,0 @@
-#
-# This is to fix the CVE-2010-5107 security bug.  The bug fix code came from
-# OpenSSH and is in version 6.2 of OpenSSH.  When we upgrade OpenSSH to
-# version 6.2 or later, we will remove this patch file.
-#
---- orig/servconf.c	Wed Feb 27 16:03:18 2013
-+++ new/servconf.c	Wed Feb 27 16:10:09 2013
[email protected]@ -248,11 +248,11 @@
- 	if (options->gateway_ports == -1)
- 		options->gateway_ports = 0;
- 	if (options->max_startups == -1)
--		options->max_startups = 10;
-+		options->max_startups = 100;
- 	if (options->max_startups_rate == -1)
--		options->max_startups_rate = 100;		/* 100% */
-+		options->max_startups_rate = 30;		/* 30% */
- 	if (options->max_startups_begin == -1)
--		options->max_startups_begin = options->max_startups;
-+		options->max_startups_begin = 10;
- 	if (options->max_authtries == -1)
- 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
- 	if (options->max_sessions == -1)
---- orig/sshd_config	Wed Feb 27 16:05:01 2013
-+++ new/sshd_config	Wed Feb 27 16:11:50 2013
[email protected]@ -104,7 +104,7 @@
- #ClientAliveCountMax 3
- #UseDNS yes
- #PidFile /var/run/sshd.pid
--#MaxStartups 10
-+#MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
- 
---- orig/sshd_config.5	Wed Feb 27 16:04:36 2013
-+++ new/sshd_config.5	Wed Feb 27 16:15:03 2013
[email protected]@ -745,7 +745,7 @@
- Additional connections will be dropped until authentication succeeds or the
- .Cm LoginGraceTime
- expires for a connection.
--The default is 10.
-+The default is 10:30:100.
- .Pp
- Alternatively, random early drop can be enabled by specifying
- the three colon separated values
--- a/components/openssh/patches/010-gss_store_cred.patch	Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/patches/010-gss_store_cred.patch	Thu Mar 27 19:40:44 2014 -0700
@@ -13,13 +13,12 @@
 # libgssapi_krb5) Solaris Kerberos libgss does not have Kerberos mechanism
 # directly built in the library and this function is not directly accessible.
 #
-# The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED 
+# The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED
 # and GSSAPI_STORECREDS_NEEDS_RUID macros.
 #
-diff -ur old/config.h.in new/config.h.in
---- old/config.h.in	2012-04-19 22:03:32.000000000 -0700
-+++ new/config.h.in	2014-03-12 06:47:38.667166593 -0700
[email protected]@ -1465,6 +1465,12 @@
+--- orig/config.h.in	Fri Mar 21 11:42:17 2014
++++ new/config.h.in	Fri Mar 21 11:46:26 2014
[email protected]@ -1616,6 +1616,12 @@
  /* Use btmp to log bad logins */
  #undef USE_BTMP
  
@@ -32,51 +31,49 @@
  /* Use libedit for sftp */
  #undef USE_LIBEDIT
  
-diff -ur old/configure new/configure
---- old/configure	2014-03-12 04:01:33.320409426 -0700
-+++ new/configure	2014-03-12 06:47:48.510155481 -0700
[email protected]@ -7201,6 +7201,9 @@
+--- orig/configure	Fri Mar 21 11:42:24 2014
++++ new/configure	Fri Mar 21 11:49:51 2014
[email protected]@ -7797,6 +7797,9 @@
  
  fi
  
-+	$as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h
-+	$as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h
++        $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h
++        $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h
 +
+ 	TEST_SHELL=$SHELL	# let configure find us a capable shell
+ 	;;
+ *-*-sunos4*)
+--- orig/configure.ac	Fri Mar 21 11:42:28 2014
++++ new/configure.ac	Fri Mar 21 16:32:28 2014
[email protected]@ -866,6 +866,8 @@
+ 		],
+ 	)
+ 	TEST_SHELL=$SHELL	# let configure find us a capable shell
++        AC_DEFINE([USE_GSS_STORE_CRED])
++        AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
  	;;
  *-*-sunos4*)
  	CPPFLAGS="$CPPFLAGS -DSUNOS4"
-diff -ur old/configure.ac new/configure.ac
---- old/configure.ac	2014-03-12 04:01:33.310743659 -0700
-+++ new/configure.ac	2014-03-12 06:47:59.218730468 -0700
[email protected]@ -802,6 +802,8 @@
- 			SP_MSG="yes" ], )
- 		],
- 	)
-+	AC_DEFINE([USE_GSS_STORE_CRED])
-+	AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
- 	;;
- *-*-sunos4*)
- 	CPPFLAGS="$CPPFLAGS -DSUNOS4"
-diff -ur old/gss-serv-krb5.c new/gss-serv-krb5.c
---- old/gss-serv-krb5.c	2006-08-31 22:38:36.000000000 -0700
-+++ new/gss-serv-krb5.c	2014-03-17 06:25:36.218227736 -0700
[email protected]@ -109,6 +109,7 @@
+--- orig/gss-serv-krb5.c	Fri Mar 21 11:42:46 2014
++++ new/gss-serv-krb5.c	Fri Mar 21 11:54:48 2014
[email protected]@ -109,7 +109,7 @@
+ 	return retval;
  }
  
- 
+-
 +#ifndef USE_GSS_STORE_CRED
  /* This writes out any forwarded credentials from the structure populated
   * during userauth. Called after we have setuid to the user */
  
[email protected]@ -183,6 +184,7 @@
[email protected]@ -195,6 +195,7 @@
  
  	return;
  }
-+#endif	/* #ifndef USE_GSS_STORE_CRED */
++#endif /* #ifndef USE_GSS_STORE_CRED */
  
  ssh_gssapi_mech gssapi_kerberos_mech = {
  	"toWM5Slw5Ew8Mqkay+al2g==",
[email protected]@ -191,7 +193,11 @@
[email protected]@ -203,7 +204,11 @@
  	NULL,
  	&ssh_gssapi_krb5_userok,
  	NULL,
@@ -88,10 +85,9 @@
  };
  
  #endif /* KRB5 */
-diff -ur old/gss-serv.c new/gss-serv.c
---- old/gss-serv.c	2011-08-05 13:16:46.000000000 -0700
-+++ new/gss-serv.c	2014-03-12 05:55:42.368676287 -0700
[email protected]@ -292,22 +292,66 @@
+--- orig/gss-serv.c	Fri Mar 21 11:42:53 2014
++++ new/gss-serv.c	Fri Mar 21 15:59:43 2014
[email protected]@ -292,6 +292,9 @@
  void
  ssh_gssapi_cleanup_creds(void)
  {
@@ -101,6 +97,7 @@
  	if (gssapi_client.store.filename != NULL) {
  		/* Unlink probably isn't sufficient */
  		debug("removing gssapi cred file\"%s\"",
[email protected]@ -298,6 +301,7 @@
  		    gssapi_client.store.filename);
  		unlink(gssapi_client.store.filename);
  	}
@@ -108,6 +105,7 @@
  }
  
  /* As user */
[email protected]@ -304,10 +308,50 @@
  void
  ssh_gssapi_storecreds(void)
  {
@@ -158,25 +156,23 @@
  }
  
  /* This allows GSSAPI methods to do things to the childs environment based
-diff -ur old/servconf.c new/servconf.c
---- old/servconf.c	2014-03-12 04:01:33.343205265 -0700
-+++ new/servconf.c	2014-03-12 04:01:33.400368192 -0700
[email protected]@ -386,7 +386,11 @@
+--- orig/servconf.c	Fri Mar 21 11:43:02 2014
++++ new/servconf.c	Fri Mar 21 16:02:54 2014
[email protected]@ -409,7 +409,11 @@
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 +#ifdef USE_GSS_STORE_CRED
 +	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+#else	/* USE_GSS_STORE_CRED*/
++#else /* USE_GSS_STORE_CRED */
  	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+#endif	/* USE_GSS_STORE_CRED*/
++#endif /* USE_GSS_STORE_CRED */
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
  	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-diff -ur old/sshd.c new/sshd.c
---- old/sshd.c	2014-03-12 04:01:33.321603394 -0700
-+++ new/sshd.c	2014-03-12 06:48:16.296909610 -0700
[email protected]@ -2041,9 +2041,23 @@
+--- orig/sshd.c	Fri Mar 21 11:43:08 2014
++++ new/sshd.c	Mon Mar 24 15:05:30 2014
[email protected]@ -2126,9 +2126,23 @@
  
  #ifdef GSSAPI
  	if (options.gss_authentication) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/011-useprivilegedport_regression.patch	Thu Mar 27 19:40:44 2014 -0700
@@ -0,0 +1,62 @@
+#
+# This is to fix a regression in OpenSSH6.5p1 for UsePrivilegedPort=yes. The
+# bug fix code came from OpenSSH.org.  When we upgrade OpenSSH to version 6.6
+# or later, we will remove this patch file.
+#
+--- orig/sshconnect.c	Mon Feb 10 13:56:07 2014
++++ new/sshconnect.c	Mon Feb 10 17:10:54 2014
[email protected]@ -269,7 +269,7 @@
+ ssh_create_socket(int privileged, struct addrinfo *ai)
+ {
+ 	int sock, r, gaierr;
+-	struct addrinfo hints, *res;
++	struct addrinfo hints, *res = NULL;
+ 
+ 	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+ 	if (sock < 0) {
[email protected]@ -282,17 +282,19 @@
+ 	if (options.bind_address == NULL && !privileged)
+ 		return sock;
+ 
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = ai->ai_family;
+-	hints.ai_socktype = ai->ai_socktype;
+-	hints.ai_protocol = ai->ai_protocol;
+-	hints.ai_flags = AI_PASSIVE;
+-	gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+-	if (gaierr) {
++	if (options.bind_address) {
++            memset(&hints, 0, sizeof(hints));
++	    hints.ai_family = ai->ai_family;
++	    hints.ai_socktype = ai->ai_socktype;
++	    hints.ai_protocol = ai->ai_protocol;
++	    hints.ai_flags = AI_PASSIVE;
++	    gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
++	    if (gaierr) {
+ 		error("getaddrinfo: %s: %s", options.bind_address,
+ 		    ssh_gai_strerror(gaierr));
+ 		close(sock);
+ 		return -1;
++	    }
+ 	}
+ 	/*
+ 	 * If we are running as root and want to connect to a privileged
[email protected]@ -300,7 +302,7 @@
+ 	 */
+ 	if (privileged) {
+ 		PRIV_START;
+-		r = bindresvport_sa(sock, res->ai_addr);
++		r = bindresvport_sa(sock, res ? res->ai_addr : NULL);
+ 		PRIV_END;
+ 		if (r < 0) {
+ 			error("bindresvport_sa: af=%d %s", ai->ai_family,
[email protected]@ -317,7 +319,8 @@
+ 			return -1;
+ 		}
+ 	}
+-	freeaddrinfo(res);
++        if (res != NULL)
++	        freeaddrinfo(res);
+ 	return sock;
+ }
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/012-acceptenv.patch	Thu Mar 27 19:40:44 2014 -0700
@@ -0,0 +1,33 @@
+#
+# This is to fix a security bug (CVE-2014-2532) when using environment passing
+# with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6
+# could be tricked into accepting any enviornment variable that contains the
+# characters before the wildcard character.  The bug fix code came from 
+# OpenSSH.org.  When we upgrade OpenSSH to version 6.6 or later, we will remove
+# this patch file.
+#
+--- orig/session.c	Tue Mar 18 18:37:57 2014
++++ new/session.c	Tue Mar 18 18:41:17 2014
[email protected]@ -978,6 +978,11 @@
+ 	u_int envsize;
+ 	u_int i, namelen;
+ 
++	if (strchr(name, '=') != NULL) {
++	        error("Invalid environment variable \"%.100s\"", name);
++                return;
++	}
++
+ 	/*
+ 	 * If we're passed an uninitialized list, allocate a single null
+ 	 * entry before continuing.
[email protected]@ -2225,8 +2230,8 @@
+ 	char *name, *val;
+ 	u_int name_len, val_len, i;
+ 
+-	name = packet_get_string(&name_len);
+-	val = packet_get_string(&val_len);
++	name = packet_get_cstring(&name_len);
++	val = packet_get_cstring(&val_len);
+ 	packet_check_eom();
+ 
+ 	/* Don't set too many environment variables */