Upgrade to version 1.2.3 with a CVS of a few hours ago. New stuff in

this release is mostly the support for lots of ssh2.  Note that SSH2 is
not fully supported here yet, but it's mostly there; see README.openssh2.

6 files changed, 298 insertions, 377 deletions

diff --git a/security/openssh/files/patch-ad b/security/openssh/files/patch-ad
index fe07d2c..f26905a 100644
--- a/security/openssh/files/patch-ad
+++ b/security/openssh/files/patch-ad
@@ -1,12 +1,11 @@
---- lib/Makefile.orig	Sun Jan 16 07:10:10 2000
-+++ lib/Makefile	Tue Jan 18 14:56:00 2000
-@@ -4,7 +4,12 @@
- SRCS=   authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
+--- /usr/ports/distfiles/OpenSSH-1.2.3/src/usr.bin/ssh/lib/Makefile	Thu Apr 20 17:02:17 2000
++++ lib/Makefile	Thu Apr 20 17:08:05 2000
+@@ -5,7 +5,11 @@
  	cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \
  	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
--	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c
-+	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \
-+	strlcat.c strlcpy.c
+ 	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \
+-	key.c dispatch.c dsa.c kex.c hmac.c
++	key.c dispatch.c dsa.c kex.c hmac.c strlcat.c strlcpy.c
 +
 +.if defined(COMPAT_GETADDRINFO)
 +SRCS+=	getaddrinfo.c getnameinfo.c name6.c rcmd.c bindresvport.c
@@ -14,11 +13,11 @@
  
  NOPROFILE= yes
  NOPIC=	yes
-@@ -13,6 +18,7 @@
+@@ -14,6 +18,7 @@
  	@echo -n
  
  .include <bsd.own.mk>
 +.include "../Makefile.inc"
  
  .if (${KERBEROS} == "yes")
- CFLAGS+= -DKRB4 -I/usr/include/kerberosIV
+ CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
diff --git a/security/openssh/files/patch-am b/security/openssh/files/patch-am
index 22106d6..25e196b 100644
--- a/security/openssh/files/patch-am
+++ b/security/openssh/files/patch-am
@@ -1,6 +1,6 @@
---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd/Makefile	Mon Oct 25 16:27:27 1999
-+++ ./sshd/Makefile	Tue Nov 23 19:29:25 1999
-@@ -3,13 +3,14 @@
+--- /usr/ports/distfiles/OpenSSH-1.2.3/src/usr.bin/ssh/sshd/Makefile	Thu Apr 20 17:02:17 2000
++++ sshd/Makefile	Thu Apr 20 17:10:39 2000
+@@ -3,14 +3,15 @@
  PROG=	sshd
  BINOWN=	root
  BINMODE=555
@@ -10,14 +10,15 @@
 +MAN8=	sshd.8
  
  SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
- 	pty.c log-server.c login.c servconf.c serverloop.c
+ 	pty.c log-server.c login.c servconf.c serverloop.c session.c \
+ 	auth.c
  
  .include <bsd.own.mk> # for KERBEROS and AFS
 +.include "../Makefile.inc"
  
  .if (${KERBEROS} == "yes")
- CFLAGS+= -DKRB4 -I/usr/include/kerberosIV
-@@ -29,7 +30,7 @@
+ .if (${AFS} == "yes")
+@@ -30,7 +31,7 @@
  
  .include <bsd.prog.mk>
  
diff --git a/security/openssh/files/patch-an b/security/openssh/files/patch-an
index 0a3e98e..e09752e 100644
--- a/security/openssh/files/patch-an
+++ b/security/openssh/files/patch-an
@@ -1,34 +1,22 @@
---- sshd.c.orig	Fri Jan  7 01:32:03 2000
-+++ sshd.c	Fri Jan  7 01:40:05 2000
-@@ -26,6 +26,8 @@
- #include "servconf.h"
- #include "uidswap.h"
- #include "compat.h"
-+#include <poll.h>
-+#include <time.h>
- 
- #ifdef LIBWRAP
- #include <tcpd.h>
-@@ -34,6 +36,16 @@
+--- sshd.c.orig	Thu Apr 20 17:11:24 2000
++++ sshd.c	Thu Apr 20 17:17:12 2000
+@@ -48,6 +48,13 @@
  int deny_severity = LOG_WARNING;
  #endif /* LIBWRAP */
  
 +#ifdef __FreeBSD__
 +#include <libutil.h>
++#include <poll.h>
 +#include <syslog.h>
-+#define	LOGIN_CAP
++#include <time.h>
 +#endif /* __FreeBSD__ */
 +
-+#ifdef LOGIN_CAP
-+#include <login_cap.h>
-+#endif /* LOGIN_CAP */
-+
  #ifndef O_NOCTTY
  #define O_NOCTTY	0
  #endif
-@@ -128,6 +140,32 @@
-    the private key. */
- RSA *public_key;
+@@ -128,6 +135,32 @@
+ /* session identifier, used by RSA-auth */
+ unsigned char session_id[16];
  
 +/* These are used to implement connections_per_period. */
 +struct magic_connection {
@@ -57,19 +45,19 @@
 +}
 +
  /* Prototypes for various functions defined later in this file. */
- void do_connection();
- void do_authentication(char *user);
-@@ -301,6 +339,7 @@
- 	extern int optind;
- 	int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, pid, on = 1;
+ void do_ssh1_kex();
+ void do_ssh2_kex();
+@@ -395,6 +428,7 @@
+ 	int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1;
+ 	pid_t pid;
  	socklen_t fromlen;
-+ 	int connections_per_period_exceeded = 0;
- 	int remote_major, remote_minor;
++	int connections_per_period_exceeded = 0;
  	int silentrsa = 0;
  	fd_set *fdset;
-@@ -620,6 +659,12 @@
- 		fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);         
- 		fdset = (fd_set *)xmalloc(fdsetsz);                                  
+ 	struct sockaddr_storage from;
+@@ -709,6 +743,12 @@
+ 		fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
+ 		fdset = (fd_set *)xmalloc(fdsetsz);
  
 +		/* Initialize the magic_connections table.  It's magical! */
 +		magic_connections = calloc(MAGIC_CONNECTIONS_SIZE,
@@ -80,7 +68,7 @@
  		/*
  		 * Stay listening for connections until the system crashes or
  		 * the daemon is killed with a signal.
-@@ -651,9 +696,31 @@
+@@ -740,9 +780,31 @@
  				error("newsock del O_NONBLOCK: %s", strerror(errno));
  				continue;
  			}
@@ -114,7 +102,7 @@
  			 */
  			if (debug_flag) {
  				/*
-@@ -667,6 +734,12 @@
+@@ -756,6 +818,12 @@
  				sock_out = newsock;
  				pid = getpid();
  				break;
@@ -127,235 +115,3 @@
  			} else {
  				/*
  				 * Normal production daemon.  Fork, and have
-@@ -1152,6 +1225,14 @@
- 				return 0;
- 		}
- 	}
-+	/* Fail if the account's expiration time has passed. */
-+	if (pw->pw_expire != 0) {
-+		struct timeval tv;
-+
-+		(void)gettimeofday(&tv, NULL);
-+		if (tv.tv_sec >= pw->pw_expire)
-+			return 0;
-+	}
- 	/* We found no reason not to let this user try to log on... */
- 	return 1;
- }
-@@ -1187,6 +1268,9 @@
- 	pwcopy.pw_gid = pw->pw_gid;
- 	pwcopy.pw_dir = xstrdup(pw->pw_dir);
- 	pwcopy.pw_shell = xstrdup(pw->pw_shell);
-+	pwcopy.pw_class = xstrdup(pw->pw_class);
-+	pwcopy.pw_expire = pw->pw_expire;
-+	pwcopy.pw_change = pw->pw_change;
- 	pw = &pwcopy;
- 
- 	/*
-@@ -1983,6 +2067,10 @@
- 	struct sockaddr_storage from;
- 	socklen_t fromlen;
- 	struct pty_cleanup_context cleanup_context;
-+#ifdef LOGIN_CAP
-+	login_cap_t *lc;
-+	char *fname;
-+#endif /* LOGIN_CAP */
- 
- 	/* Get remote host name. */
- 	hostname = get_canonical_hostname();
-@@ -2047,6 +2135,12 @@
- 		/* Check if .hushlogin exists. */
- 		snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
- 		quiet_login = stat(line, &st) >= 0;
-+#ifdef LOGIN_CAP
-+		lc = login_getpwclass(pw);
-+		if (lc == NULL)
-+			lc = login_getclassbyname(NULL, pw);
-+		quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
-+#endif /* LOGIN_CAP */
- 
- 		/*
- 		 * If the user has logged in before, display the time of last
-@@ -2070,6 +2164,20 @@
- 			else
- 				printf("Last login: %s from %s\r\n", time_string, buf);
- 		}
-+#ifdef LOGIN_CAP
-+		if (command == NULL && !quiet_login && !options.use_login) {
-+			fname = login_getcapstr(lc, "copyright", NULL, NULL);
-+			if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
-+				while (fgets(line, sizeof(line), f) != NULL)
-+					fputs(line, stdout);
-+				fclose(f);
-+			} else
-+				(void)printf("%s\n\t%s %s\n",
-+		"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
-+		    "The Regents of the University of California. ",
-+		    "All rights reserved.");
-+		}
-+#endif /* LOGIN_CAP */
- 		/*
- 		 * Print /etc/motd unless a command was specified or printing
- 		 * it was disabled in server options or login(1) will be
-@@ -2078,14 +2186,22 @@
- 		 */
- 		if (command == NULL && options.print_motd && !quiet_login &&
- 		    !options.use_login) {
--			/* Print /etc/motd if it exists. */
-+#ifdef LOGIN_CAP
-+			fname = login_getcapstr(lc, "welcome", NULL, NULL);
-+			login_close(lc);
-+			if (fname == NULL || (f = fopen(fname, "r")) == NULL)
-+				f = fopen("/etc/motd", "r");
-+#else /* LOGIN_CAP */
- 			f = fopen("/etc/motd", "r");
-+#endif /* LOGIN_CAP */
-+			/* Print /etc/motd if it exists. */
- 			if (f) {
- 				while (fgets(line, sizeof(line), f))
- 					fputs(line, stdout);
- 				fclose(f);
- 			}
- 		}
-+
- 		/* Do common processing for the child, such as execing the command. */
- 		do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
- 		/* NOTREACHED */
-@@ -2221,7 +2337,8 @@
- 	 const char *display, const char *auth_proto,
- 	 const char *auth_data, const char *ttyname)
- {
--	const char *shell, *cp = NULL;
-+	char *shell;
-+	const char *cp = NULL;
- 	char buf[256];
- 	FILE *f;
- 	unsigned int envsize, i;
-@@ -2229,15 +2346,34 @@
- 	extern char **environ;
- 	struct stat st;
- 	char *argv[10];
-+#ifdef LOGIN_CAP
-+	login_cap_t *lc;
-+
-+	lc = login_getpwclass(pw);
-+	if (lc == NULL)
-+		lc = login_getclassbyname(NULL, pw);
-+#endif /* LOGIN_CAP */
- 
- 	f = fopen("/etc/nologin", "r");
-+#ifdef __FreeBSD__
-+	if (f == NULL)
-+		f = fopen("/var/run/nologin", "r");
-+#endif /* __FreeBSD__ */
- 	if (f) {
- 		/* /etc/nologin exists.  Print its contents and exit. */
--		while (fgets(buf, sizeof(buf), f))
--			fputs(buf, stderr);
--		fclose(f);
--		if (pw->pw_uid != 0)
--			exit(254);
-+#ifdef LOGIN_CAP
-+		/* On FreeBSD, etc., allow overriding nologin via login.conf. */
-+		if (!login_getcapbool(lc, "ignorenologin", 0)) {
-+#else /* LOGIN_CAP */
-+		if (1) {
-+#endif /* LOGIN_CAP */
-+			while (fgets(buf, sizeof(buf), f))
-+				fputs(buf, stderr);
-+			fclose(f);
-+			if (pw->pw_uid != 0)
-+				exit(254);
-+		}
-+
- 	}
- 	/* Set login name in the kernel. */
- 	if (setlogin(pw->pw_name) < 0)
-@@ -2247,6 +2383,13 @@
- 	/* Login(1) does this as well, and it needs uid 0 for the "-h"
- 	   switch, so we let login(1) to this for us. */
- 	if (!options.use_login) {
-+#ifdef LOGIN_CAP
-+		if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY |
-+		    LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) {
-+			perror("setclasscontext");
-+			exit(1);
-+		}
-+#endif /* LOGIN_CAP */
- 		if (getuid() == 0 || geteuid() == 0) {
- 			if (setgid(pw->pw_gid) < 0) {
- 				perror("setgid");
-@@ -2269,7 +2412,14 @@
- 	 * Get the shell from the password data.  An empty shell field is
- 	 * legal, and means /bin/sh.
- 	 */
-+#ifdef LOGIN_CAP
-+	shell = pw->pw_shell;
-+	shell = login_getcapstr(lc, "shell", shell, shell);
-+	if (shell[0] == '\0')
-+		shell = _PATH_BSHELL;
-+#else /* LOGIN_CAP */
- 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
-+#endif /* LOGIN_CAP */
- 
- #ifdef AFS
- 	/* Try to get AFS tokens for the local cell. */
-@@ -2293,7 +2443,12 @@
- 		child_set_env(&env, &envsize, "USER", pw->pw_name);
- 		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
- 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
-+#ifdef LOGIN_CAP
-+		child_set_env(&env, &envsize, "PATH",
-+		    login_getpath(lc, "path", _PATH_STDPATH));
-+#else /* LOGIN_CAP */
- 		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-+#endif /* LOGIN_CAP */
- 
- 		snprintf(buf, sizeof buf, "%.200s/%.50s",
- 			 _PATH_MAILDIR, pw->pw_name);
-@@ -2383,13 +2538,17 @@
- 	 */
- 	endpwent();
- 
-+#ifdef LOGIN_CAP
-+ 	login_close(lc);
-+#endif /* LOGIN_CAP */
-+
- 	/*
- 	 * Close any extra open file descriptors so that we don\'t have them
- 	 * hanging around in clients.  Note that we want to do this after
- 	 * initgroups, because at least on Solaris 2.3 it leaves file
- 	 * descriptors open.
- 	 */
--	for (i = 3; i < 64; i++)
-+	for (i = 3; i < getdtablesize(); i++)
- 		close(i);
- 
- 	/* Change current directory to the user\'s home directory. */
-@@ -2408,6 +2567,26 @@
- 	 * in this order).
- 	 */
- 	if (!options.use_login) {
-+#ifdef __FreeBSD__
-+		/*
-+		 * If the password change time is set and has passed, give the
-+		 * user a password expiry notice and chance to change it.
-+		 */
-+		if (pw->pw_change != 0) {
-+			struct timeval tv;
-+
-+			(void)gettimeofday(&tv, NULL);
-+			if (tv.tv_sec >= pw->pw_change) {
-+				(void)printf(
-+				    "Sorry -- your password has expired.\n");
-+				syslog(LOG_INFO,
-+				    "%s Password expired - forcing change",
-+				    pw->pw_name);
-+				if (system("/usr/bin/passwd") != 0)
-+					perror("/usr/bin/passwd");
-+			}
-+		}
-+#endif /* __FreeBSD__ */
- 		if (stat(SSH_USER_RC, &st) >= 0) {
- 			if (debug_flag)
- 				fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC);
diff --git a/security/openssh/files/patch-ap b/security/openssh/files/patch-ap
index 101b456..f002684 100644
--- a/security/openssh/files/patch-ap
+++ b/security/openssh/files/patch-ap
@@ -1,32 +1,32 @@
---- servconf.c.orig	Sun Dec  5 01:48:12 1999
-+++ servconf.c	Sun Dec  5 01:57:57 1999
-@@ -63,6 +63,8 @@
- 	options->num_deny_users = 0;
- 	options->num_allow_groups = 0;
+--- servconf.c.orig	Thu Apr 20 17:55:11 2000
++++ servconf.c	Thu Apr 20 18:00:08 2000
+@@ -71,6 +71,8 @@
  	options->num_deny_groups = 0;
+ 	options->ciphers = NULL;
+ 	options->protocol = SSH_PROTO_UNKNOWN;
 +	options->connections_per_period = 0;
 +	options->connections_period = 0;
  }
  
- void 
-@@ -161,7 +163,7 @@
+ void
+@@ -163,7 +165,7 @@
+ #ifdef SKEY
+ 	sSkeyAuthentication,
+ #endif
+-	sPasswordAuthentication, sListenAddress,
++	sPasswordAuthentication, sListenAddress, sConnectionsPerPeriod,
  	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
  	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
  	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
--	sIgnoreUserKnownHosts
-+	sIgnoreUserKnownHosts, sConnectionsPerPeriod
- } ServerOpCodes;
- 
- /* Textual representation of the tokens. */
-@@ -209,6 +211,7 @@
- 	{ "denyusers", sDenyUsers },
- 	{ "allowgroups", sAllowGroups },
+@@ -218,6 +220,7 @@
  	{ "denygroups", sDenyGroups },
+ 	{ "ciphers", sCiphers },
+ 	{ "protocol", sProtocol },
 +	{ "connectionsperperiod", sConnectionsPerPeriod },
  	{ NULL, 0 }
  };
  
-@@ -270,7 +273,11 @@
+@@ -327,7 +330,11 @@
  					filename, linenum);
  				exit(1);
  			}
@@ -39,64 +39,12 @@
  			if (*intptr == -1)
  				*intptr = value;
  			break;
-@@ -466,63 +473,65 @@
- 
- 		case sAllowUsers:
- 			while ((cp = strtok(NULL, WHITESPACE))) {
--				if (options->num_allow_users >= MAX_ALLOW_USERS) {
--					fprintf(stderr, "%s line %d: too many allow users.\n",
--						filename, linenum);
--					exit(1);
--				}
-+				if (options->num_allow_users >= MAX_ALLOW_USERS)
-+					fatal("%.200s line %d: too many allow users.\n", filename,
-+					    linenum);
- 				options->allow_users[options->num_allow_users++] = xstrdup(cp);
- 			}
- 			break;
- 
- 		case sDenyUsers:
- 			while ((cp = strtok(NULL, WHITESPACE))) {
--				if (options->num_deny_users >= MAX_DENY_USERS) {
--					fprintf(stderr, "%s line %d: too many deny users.\n",
--						filename, linenum);
--					exit(1);
--				}
-+				if (options->num_deny_users >= MAX_DENY_USERS)
-+					fatal("%.200s line %d: too many deny users.\n", filename,
-+					    linenum);
- 				options->deny_users[options->num_deny_users++] = xstrdup(cp);
- 			}
- 			break;
- 
- 		case sAllowGroups:
- 			while ((cp = strtok(NULL, WHITESPACE))) {
--				if (options->num_allow_groups >= MAX_ALLOW_GROUPS) {
--					fprintf(stderr, "%s line %d: too many allow groups.\n",
--						filename, linenum);
--					exit(1);
--				}
-+				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
-+					fatal("%.200s line %d: too many allow groups.\n", filename,
-+					    linenum);
- 				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
- 			}
- 			break;
- 
- 		case sDenyGroups:
- 			while ((cp = strtok(NULL, WHITESPACE))) {
--				if (options->num_deny_groups >= MAX_DENY_GROUPS) {
--					fprintf(stderr, "%s line %d: too many deny groups.\n",
--						filename, linenum);
--					exit(1);
--				}
-+				if (options->num_deny_groups >= MAX_DENY_GROUPS)
-+					fatal("%.200s line %d: too many deny groups.\n", filename,
-+					    linenum);
+@@ -551,6 +558,21 @@
+ 					    filename, linenum);
  				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
  			}
- 			break;
- 
++			break;
++
 +		case sConnectionsPerPeriod:
 +			cp = strtok(NULL, WHITESPACE);
 +			if (cp == NULL)
@@ -110,29 +58,6 @@
 +			    options->connections_period == 0)
 +				fatal("%.200s line %d: invalid connections period.\n",
 +				    filename, linenum);
-+			break;
-+
- 		default:
--			fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
-+			fatal("%.200s line %d: Missing handler for opcode %s (%d)\n",
- 				filename, linenum, cp, opcode);
--			exit(1);
--		}
--		if (strtok(NULL, WHITESPACE) != NULL) {
--			fprintf(stderr, "%s line %d: garbage at end of line.\n",
--				filename, linenum);
--			exit(1);
- 		}
-+		if (strtok(NULL, WHITESPACE) != NULL)
-+			fatal("%.200s line %d: garbage at end of line.\n", filename,
-+			    linenum);
- 	}
- 	fclose(f);
--	if (bad_options > 0) {
--		fprintf(stderr, "%s: terminating, %d bad configuration options\n",
-+	if (bad_options > 0)
-+		fatal("%.200s: terminating, %d bad configuration options\n",
- 			filename, bad_options);
--		exit(1);
--	}
- }
+ 			break;
+ 
+ 		case sCiphers:
diff --git a/security/openssh/files/patch-au b/security/openssh/files/patch-au
new file mode 100644
index 0000000..9c728ca
--- /dev/null
+++ b/security/openssh/files/patch-au
@@ -0,0 +1,201 @@
+--- session.c.orig	Thu Apr 20 18:05:07 2000
++++ session.c	Thu Apr 20 18:12:07 2000
+@@ -27,6 +27,18 @@
+ #include "ssh2.h"
+ #include "auth.h"
+ 
++#ifdef __FreeBSD__
++#include <libutil.h>
++#include <poll.h>
++#include <syslog.h>
++#include <time.h>
++#define LOGIN_CAP
++#endif /* __FreeBSD__ */
++
++#ifdef LOGIN_CAP
++#include <login_cap.h>
++#endif /* LOGIN_CAP */
++
+ /* types */
+ 
+ #define TTYSZ 64
+@@ -497,6 +509,10 @@
+ 	struct sockaddr_storage from;
+ 	struct stat st;
+ 	time_t last_login_time;
++#ifdef LOGIN_CAP
++	login_cap_t *lc;
++	char *fname;
++#endif /* LOGIN_CAP */
+ 
+ 	if (s == NULL)
+ 		fatal("do_exec_pty: no session");
+@@ -567,6 +583,12 @@
+ 		/* Check if .hushlogin exists. */
+ 		snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
+ 		quiet_login = stat(line, &st) >= 0;
++#ifdef LOGIN_CAP
++		lc = login_getpwclass(pw);
++		if (lc == NULL)
++			lc = login_getclassbyname(NULL, pw);
++		quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
++#endif /* LOGIN_CAP */
+ 
+ 		/*
+ 		 * If the user has logged in before, display the time of last
+@@ -590,6 +612,20 @@
+ 			else
+ 				printf("Last login: %s from %s\r\n", time_string, buf);
+ 		}
++#ifdef LOGIN_CAP
++		if (command == NULL && !quiet_login && !options.use_login) {
++			fname = login_getcapstr(lc, "copyright", NULL, NULL);
++			if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
++				while (fgets(line, sizeof(line), f) != NULL)
++					fputs(line, stdout);
++				fclose(f);
++			} else
++				(void)printf("%s\n\t%s %s\n",
++		"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
++		    "The Regents of the University of California. ",
++		    "All rights reserved.");
++		}
++#endif /* LOGIN_CAP */
+ 		/*
+ 		 * Print /etc/motd unless a command was specified or printing
+ 		 * it was disabled in server options or login(1) will be
+@@ -599,7 +635,18 @@
+ 		if (command == NULL && options.print_motd && !quiet_login &&
+ 		    !options.use_login) {
+ 			/* Print /etc/motd if it exists. */
++#ifdef LOGIN_CAP
++			fname = login_getcapstr(lc, "welcome", NULL, NULL);
++			login_close(lc);
++			if (fname != NULL) {
++				f = fopen(fname, "r");
++				if (f == NULL)
++					f = fopen("/etc/motd", "r");
++			} else
++				f = fopen("/etc/motd", "r");
++#else /* LOGIN_CAP */
+ 			f = fopen("/etc/motd", "r");
++#endif /* LOGIN_CAP */
+ 			if (f) {
+ 				while (fgets(line, sizeof(line), f))
+ 					fputs(line, stdout);
+@@ -737,9 +784,25 @@
+ 	extern char **environ;
+ 	struct stat st;
+ 	char *argv[10];
++#ifdef LOGIN_CAP
++	login_cap_t *lc;
++
++	lc = login_getpwclass(pw);
++	if (lc == NULL)
++		lc = login_getclassbyname(NULL, pw);
++#endif /* LOGIN_CAP */
+ 
+ 	f = fopen("/etc/nologin", "r");
++#ifdef __FreeBSD__
++	if (f == NULL)
++		f = fopen("/var/run/nologin", "r");
++#endif /* __FreeBSD__ */
++#ifdef LOGIN_CAP
++	/* on FreeBSD, etc., allow overriding nologin via login.conf. */
++	if (f != NULL && !login_getcapbool(lc, "ignorenologin", 0)) {
++#else /* LOGIN_CAP */
+ 	if (f) {
++#endif /* LOGIN_CAP */
+ 		/* /etc/nologin exists.  Print its contents and exit. */
+ 		while (fgets(buf, sizeof(buf), f))
+ 			fputs(buf, stderr);
+@@ -755,6 +818,13 @@
+ 	/* Login(1) does this as well, and it needs uid 0 for the "-h"
+ 	   switch, so we let login(1) to this for us. */
+ 	if (!options.use_login) {
++#ifdef LOGIN_CAP
++		if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY |
++		    LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) {
++			perror("setclasscontext");
++			exit(1);
++		}
++#endif /* LOGIN_CAP */
+ 		if (getuid() == 0 || geteuid() == 0) {
+ 			if (setgid(pw->pw_gid) < 0) {
+ 				perror("setgid");
+@@ -777,7 +847,14 @@
+ 	 * Get the shell from the password data.  An empty shell field is
+ 	 * legal, and means /bin/sh.
+ 	 */
++#ifdef LOGIN_CAP
++	shell = pw->pw_shell;
++	shell = login_getcapstr(lc, "shell", shell, shell);
++	if (shell[0] == '\0')
++		shell = _PATH_BSHELL;
++#else /* LOGIN_CAP */
+ 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
++#endif /* LOGIN_CAP */
+ 
+ #ifdef AFS
+ 	/* Try to get AFS tokens for the local cell. */
+@@ -801,7 +878,12 @@
+ 		child_set_env(&env, &envsize, "USER", pw->pw_name);
+ 		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
+ 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
++#ifdef LOGIN_CAP
++		child_set_env(&env, &envsize, "PATH",
++		    login_getpath(lc, "path", _PATH_STDPATH));
++#else /* LOGIN_CAP */
+ 		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
++#endif /* LOGIN_CAP */
+ 
+ 		snprintf(buf, sizeof buf, "%.200s/%.50s",
+ 			 _PATH_MAILDIR, pw->pw_name);
+@@ -890,6 +972,9 @@
+ 	 * descriptors left by system functions.  They will be closed later.
+ 	 */
+ 	endpwent();
++#ifdef LOGIN_CAP
++	login_close(lc);
++#endif /* LOGIN_CAP */
+ 
+ 	/*
+ 	 * Close any extra open file descriptors so that we don\'t have them
+@@ -897,7 +982,7 @@
+ 	 * initgroups, because at least on Solaris 2.3 it leaves file
+ 	 * descriptors open.
+ 	 */
+-	for (i = 3; i < 64; i++)
++	for (i = 3; i < getdtablesize(); i++)
+ 		close(i);
+ 
+ 	/* Change current directory to the user\'s home directory. */
+@@ -916,7 +1001,27 @@
+ 	 * in this order).
+ 	 */
+ 	if (!options.use_login) {
+-		if (stat(SSH_USER_RC, &st) >= 0) {
++#ifdef __FreeBSD__
++		/*
++		 * If the password change time is set and has passed, give the
++		 * user a password expiry notice and chance to change it.
++		 */
++		if (pw->pw_change != 0) {
++			struct timeval tv;
++
++			(void)gettimeofday(&tv, NULL);
++			if (tv.tv_sec >= pw->pw_change) {
++				(void)printf(
++				    "Sorry -- your password has expired.\n");
++				syslog(LOG_INFO,
++				    "%s Password expired - forcing change",
++				    pw->pw_name);
++				if (system("/usr/bin/passwd") != 0)
++					perror("/usr/bin/passwd");
++			}
++		}
++#endif /* __FreeBSD__ */
++                if (stat(SSH_USER_RC, &st) >= 0) {
+ 			if (debug_flag)
+ 				fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC);
+ 
diff --git a/security/openssh/files/patch-av b/security/openssh/files/patch-av
new file mode 100644
index 0000000..88cc6a4
--- /dev/null
+++ b/security/openssh/files/patch-av
@@ -0,0 +1,39 @@
+--- auth.c.orif	Thu Apr 20 17:21:58 2000
++++ auth.c	Thu Apr 20 17:50:06 2000
+@@ -26,7 +26,6 @@
+ #include "session.h"
+ #include "dispatch.h"
+ 
+-
+ /* import */
+ extern ServerOptions options;
+ extern char *forced_command;
+@@ -106,6 +105,16 @@
+ 				return 0;
+ 		}
+ 	}
++#ifdef __FreeBSD__
++	/* Fail if the account's expiration time has passed. */
++	if (pw->pw_expire != 0) {
++		struct timeval tv;
++
++		(void)gettimeofday(&tv, NULL);
++		if (tv.tv_sec >= pw->pw_expire)
++			return 0;
++	}
++#endif /* __FreeBSD__ */
+ 	/* We found no reason not to let this user try to log on... */
+ 	return 1;
+ }
+@@ -523,6 +532,11 @@
+ 	pwcopy.pw_gid = pw->pw_gid;
+ 	pwcopy.pw_dir = xstrdup(pw->pw_dir);
+ 	pwcopy.pw_shell = xstrdup(pw->pw_shell);
++#ifdef __FreeBSD__
++	pwcopy.pw_class = xstrdup(pw->pw_class);
++	pwcopy.pw_expire = pw->pw_expire;
++	pwcopy.pw_change = pw->pw_change;
++#endif /* __FreeBSD__ */
+ 	pw = &pwcopy;
+ 
+ 	/*