Add the patches fom ports (QV: ports/security/openssh/patches/patch-*)

12 files changed, 328 insertions, 53 deletions

diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h
index 68690e3..a20318c 100644
--- a/crypto/openssh/includes.h
+++ b/crypto/openssh/includes.h
@@ -11,6 +11,7 @@
  * 
  * This file includes most of the needed system headers.
  * 
+ * $FreeBSD$
  */
 
 #ifndef INCLUDES_H
@@ -24,12 +25,12 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #include <sys/select.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>
-#include <sys/endian.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
 #include <sys/time.h>
 #include <sys/un.h>
 #include <sys/resource.h>
+#include <machine/endian.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -38,7 +39,6 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #include <arpa/inet.h>
 #include <netdb.h>
 
-#include <netgroup.h>
 #include <stdio.h>
 #include <ctype.h>
 #include <errno.h>
@@ -66,4 +66,29 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
  */
 #define USE_PIPES 1
 
+#if defined(__FreeBSD__) && __FreeBSD__ <= 3
+/*
+ * Data types.
+ */
+typedef u_char          sa_family_t;
+typedef u_int32_t       socklen_t;
+
+/*
+ * bsd-api-new-02a: protocol-independent placeholder for socket addresses
+ */
+#define	_SS_MAXSIZE	128
+#define	_SS_ALIGNSIZE	(sizeof(int64_t))
+#define	_SS_PAD1SIZE	(_SS_ALIGNSIZE - sizeof(u_char) * 2)
+#define	_SS_PAD2SIZE	(_SS_MAXSIZE - sizeof(u_char) * 2 - \
+				_SS_PAD1SIZE - _SS_ALIGNSIZE)
+
+struct sockaddr_storage {
+	u_char		ss_len;		/* address length */
+	sa_family_t	ss_family;	/* address family */
+	char		__ss_pad1[_SS_PAD1SIZE];
+	int64_t		__ss_align;	/* force desired structure storage alignment */
+	char		__ss_pad2[_SS_PAD2SIZE];
+};
+#endif
+
 #endif				/* INCLUDES_H */
diff --git a/crypto/openssh/login.c b/crypto/openssh/login.c
index 574a9cc..55480de 100644
--- a/crypto/openssh/login.c
+++ b/crypto/openssh/login.c
@@ -15,12 +15,17 @@
  * login the current system has.  Also, we want to be able to execute commands
  * on a tty.
  * 
+ * $FreeBSD$
  */
 
 #include "includes.h"
 RCSID("$Id: login.c,v 1.11 2000/01/04 00:07:59 markus Exp $");
 
+#ifdef __FreeBSD__
+#include <libutil.h>
+#else
 #include <util.h>
+#endif /* __FreeBSD__ */
 #include <utmp.h>
 #include "ssh.h"
 
diff --git a/crypto/openssh/pty.c b/crypto/openssh/pty.c
index 86da668..c354529 100644
--- a/crypto/openssh/pty.c
+++ b/crypto/openssh/pty.c
@@ -11,12 +11,17 @@
  * 
  * Allocating a pseudo-terminal, and making it the controlling tty.
  * 
+ * $FreeBSD$
  */
 
 #include "includes.h"
 RCSID("$Id: pty.c,v 1.12 2000/02/15 16:52:58 markus Exp $");
 
+#ifdef __FreeBSD__
+#include <libutil.h>
+#else
 #include <util.h>
+#endif
 #include "pty.h"
 #include "ssh.h"
 
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index eb1b20e..6ae36e6 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -9,6 +9,7 @@
  * 
  * Created: Mon Aug 21 15:48:58 1995 ylo
  * 
+ * $FreeBSD$
  */
 
 #include "includes.h"
@@ -67,6 +68,8 @@ initialize_server_options(ServerOptions *options)
 	options->num_deny_users = 0;
 	options->num_allow_groups = 0;
 	options->num_deny_groups = 0;
+	options->connections_per_period = 0;
+	options->connections_period = 0;
 }
 
 void 
@@ -159,7 +162,7 @@ typedef enum {
 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
-	sIgnoreUserKnownHosts
+	sIgnoreUserKnownHosts, sConnectionsPerPeriod
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -207,6 +210,7 @@ static struct {
 	{ "denyusers", sDenyUsers },
 	{ "allowgroups", sAllowGroups },
 	{ "denygroups", sDenyGroups },
+	{ "connectionsperperiod", sConnectionsPerPeriod },
 	{ NULL, 0 }
 };
 
@@ -316,7 +320,11 @@ parse_int:
 					filename, linenum);
 				exit(1);
 			}
-			value = atoi(cp);
+			if (sscanf(cp, " %d ", &value) != 1) {
+				fprintf(stderr, "%s line %d: invalid integer value.\n",
+					filename, linenum);
+				exit(1);
+			}
 			if (*intptr == -1)
 				*intptr = value;
 			break;
@@ -506,63 +514,65 @@ parse_flag:
 
 		case sAllowUsers:
 			while ((cp = strtok(NULL, WHITESPACE))) {
-				if (options->num_allow_users >= MAX_ALLOW_USERS) {
-					fprintf(stderr, "%s line %d: too many allow users.\n",
-						filename, linenum);
-					exit(1);
-				}
+				if (options->num_allow_users >= MAX_ALLOW_USERS)
+					fatal("%.200s line %d: too many allow users.\n", filename,
+					    linenum);
 				options->allow_users[options->num_allow_users++] = xstrdup(cp);
 			}
 			break;
 
 		case sDenyUsers:
 			while ((cp = strtok(NULL, WHITESPACE))) {
-				if (options->num_deny_users >= MAX_DENY_USERS) {
-					fprintf(stderr, "%s line %d: too many deny users.\n",
-						filename, linenum);
-					exit(1);
-				}
+				if (options->num_deny_users >= MAX_DENY_USERS)
+					fatal("%.200s line %d: too many deny users.\n", filename,
+					    linenum);
 				options->deny_users[options->num_deny_users++] = xstrdup(cp);
 			}
 			break;
 
 		case sAllowGroups:
 			while ((cp = strtok(NULL, WHITESPACE))) {
-				if (options->num_allow_groups >= MAX_ALLOW_GROUPS) {
-					fprintf(stderr, "%s line %d: too many allow groups.\n",
-						filename, linenum);
-					exit(1);
-				}
+				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
+					fatal("%.200s line %d: too many allow groups.\n", filename,
+					    linenum);
 				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
 			}
 			break;
 
 		case sDenyGroups:
 			while ((cp = strtok(NULL, WHITESPACE))) {
-				if (options->num_deny_groups >= MAX_DENY_GROUPS) {
-					fprintf(stderr, "%s line %d: too many deny groups.\n",
-						filename, linenum);
-					exit(1);
-				}
+				if (options->num_deny_groups >= MAX_DENY_GROUPS)
+					fatal("%.200s line %d: too many deny groups.\n", filename,
+					    linenum);
 				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
 			}
 			break;
 
+		case sConnectionsPerPeriod:
+			cp = strtok(NULL, WHITESPACE);
+			if (cp == NULL)
+				fatal("%.200s line %d: missing (>= 0) number argument.\n",
+					filename, linenum);
+			if (sscanf(cp, " %u/%u ", &options->connections_per_period,
+			    &options->connections_period) != 2)
+				fatal("%.200s line %d: invalid numerical argument(s).\n",
+				    filename, linenum);
+			if (options->connections_per_period != 0 &&
+			    options->connections_period == 0)
+				fatal("%.200s line %d: invalid connections period.\n",
+				    filename, linenum);
+			break;
+
 		default:
-			fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
+			fatal("%.200s line %d: Missing handler for opcode %s (%d)\n",
 				filename, linenum, cp, opcode);
-			exit(1);
-		}
-		if (strtok(NULL, WHITESPACE) != NULL) {
-			fprintf(stderr, "%s line %d: garbage at end of line.\n",
-				filename, linenum);
-			exit(1);
 		}
+		if (strtok(NULL, WHITESPACE) != NULL)
+			fatal("%.200s line %d: garbage at end of line.\n", filename,
+			    linenum);
 	}
 	fclose(f);
-	if (bad_options > 0) {
-		fprintf(stderr, "%s: terminating, %d bad configuration options\n",
+	if (bad_options > 0)
+		fatal("%.200s: terminating, %d bad configuration options\n",
 			filename, bad_options);
-		exit(1);
-	}
 }
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
index dd4caf7..e21e7ab 100644
--- a/crypto/openssh/servconf.h
+++ b/crypto/openssh/servconf.h
@@ -11,6 +11,7 @@
  * 
  * Definitions for server configuration data and for the functions reading it.
  * 
+ * $FreeBSD$
  */
 
 /* RCSID("$Id: servconf.h,v 1.15 2000/01/04 00:08:00 markus Exp $"); */
@@ -87,6 +88,12 @@ typedef struct {
 	char   *allow_groups[MAX_ALLOW_GROUPS];
 	unsigned int num_deny_groups;
 	char   *deny_groups[MAX_DENY_GROUPS];
+	unsigned int connections_per_period;	/*
+						 * If not 0, number of sshd
+						 * connections accepted per
+						 * connections_period.
+						 */
+	unsigned int connections_period;
 }       ServerOptions;
 /*
  * Initializes the server options to special values that indicate that they
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
index f42fcb6..81ce2ec 100644
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@@ -8,6 +8,8 @@
  * of X11, TCP/IP, and authentication connections.
  *
  * Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada.
+ *
+ * $FreeBSD$
  */
 
 #include "includes.h"
@@ -131,6 +133,9 @@ rsh_connect(char *host, char *user, Buffer * command)
 	log("Using rsh.  WARNING: Connection will not be encrypted.");
 	/* Build argument list for rsh. */
 	i = 0;
+#ifndef	_PATH_RSH
+#define	_PATH_RSH	"/usr/bin/rsh"
+#endif
 	args[i++] = _PATH_RSH;
 	/* host may have to come after user on some systems */
 	args[i++] = host;
diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h
index 47872ce..b7ae4fe 100644
--- a/crypto/openssh/ssh.h
+++ b/crypto/openssh/ssh.h
@@ -11,6 +11,7 @@
  * 
  * Generic header file for ssh.
  * 
+ * $FreeBSD$
  */
 
 /* RCSID("$Id: ssh.h,v 1.33 2000/02/01 22:32:53 d Exp $"); */
@@ -61,7 +62,7 @@
  */
 #define SSH_SERVICE_NAME	"ssh"
 
-#define ETCDIR			"/etc"
+#define ETCDIR			"__PREFIX__/etc"
 #define PIDDIR			"/var/run"
 
 /*
@@ -78,7 +79,7 @@
 #define SERVER_CONFIG_FILE	ETCDIR "/sshd_config"
 #define HOST_CONFIG_FILE	ETCDIR "/ssh_config"
 
-#define SSH_PROGRAM		"/usr/bin/ssh"
+#define SSH_PROGRAM		"__PREFIX__/bin/ssh"
 
 /*
  * The process id of the daemon listening for connections is saved here to
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index 9fb064d..6d823f5 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -1,6 +1,8 @@
 # This is ssh client systemwide configuration file.  This file provides 
 # defaults for users, and the values can be changed in per-user configuration
 # files or on the command line.
+#
+# $FreeBSD$
 
 # Configuration data is parsed as follows:
 #  1. command line options
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index 62a842f..98308dc 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -5,6 +5,8 @@
  * Created: Sat Mar 18 22:15:47 1995 ylo
  * Code to connect to a remote host, and to perform the client side of the
  * login (authentication) dialog.
+ * 
+ * $FreeBSD$
  */
 
 #include "includes.h"
@@ -1085,9 +1087,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key)
 	case AF_INET:
 		local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
 		break;
+#ifdef INET6
 	case AF_INET6:
 		local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
 		break;
+#endif
 	default:
 		local = 0;
 		break;
diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8
index 7aa9cf4..93ee16b 100644
--- a/crypto/openssh/sshd.8
+++ b/crypto/openssh/sshd.8
@@ -10,6 +10,7 @@
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
 .\" $Id: sshd.8,v 1.33 2000/02/21 14:19:09 deraadt Exp $
+.\" $FreeBSD$
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -228,6 +229,31 @@ Specifies whether
 should check for new mail for interactive logins.
 The default is
 .Dq no .
+.It Cm ConnectionsPerPeriod
+This keyword allows for rate-limiting of connections, and
+is followed by two numbers in the format
+.Dq n/s ,
+where
+.Ar n
+is the number of connections from a certain address group
+accepted per period of
+.Ar s
+seconds.  Any connection after the number
+.Ar n
+connection in the period of
+.Ar s
+seconds will be dropped, and an informational message will be logged.
+A connection will belong to a certain group, of which there are 13
+by default, according to its IP address.
+The default for this keyword is
+.Dq 0/0 ,
+and rate-limiting can be explicitly turned off by using an
+.Ar n
+parameter of
+.Ql 0
+and any
+.Ar s
+parameter.
 .It Cm DenyGroups
 This keyword can be followed by a number of group names, separated
 by spaces.  Users whose primary group matches one of the patterns
@@ -466,8 +492,9 @@ section).
 If the login is on a tty, records login time.
 .It
 Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
 (unless root).
 .It
 Changes to run with normal user privileges.
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index 6cea307..03ccbf7 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -8,6 +8,8 @@
  * information to/from the application to the user client over an encrypted
  * connection.  This can also handle forwarding of X11, TCP/IP, and authentication
  * agent connections.
+ * 
+ * $FreeBSD$
  */
 
 #include "includes.h"
@@ -24,6 +26,8 @@ RCSID("$OpenBSD: sshd.c,v 1.88 2000/02/15 16:52:57 markus Exp $");
 #include "servconf.h"
 #include "uidswap.h"
 #include "compat.h"
+#include <poll.h>
+#include <time.h>
 
 #ifdef LIBWRAP
 #include <tcpd.h>
@@ -32,6 +36,16 @@ int allow_severity = LOG_INFO;
 int deny_severity = LOG_WARNING;
 #endif /* LIBWRAP */
 
+#ifdef __FreeBSD__
+#include <libutil.h>
+#include <syslog.h>
+#define	LOGIN_CAP
+#endif /* __FreeBSD__ */
+
+#ifdef LOGIN_CAP
+#include <login_cap.h>
+#endif /* LOGIN_CAP */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
@@ -126,6 +140,32 @@ int received_sighup = 0;
    the private key. */
 RSA *public_key;
 
+/* These are used to implement connections_per_period. */
+struct magic_connection {
+		struct timeval connections_begin;
+		unsigned int connections_this_period;
+} *magic_connections;
+/* Magic number, too!  TODO: this doesn't have to be static. */
+const size_t MAGIC_CONNECTIONS_SIZE = 1;
+
+static __inline int
+magic_hash(struct sockaddr *sa) {
+
+	return 0;
+}
+
+static __inline struct timeval
+timevaldiff(struct timeval *tv1, struct timeval *tv2) {
+	struct timeval diff;
+	int carry;
+
+	carry = tv1->tv_usec > tv2->tv_usec;
+	diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1);
+	diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0);
+
+	return diff;
+}
+
 /* Prototypes for various functions defined later in this file. */
 void do_ssh_kex();
 void do_authentication();
@@ -321,6 +361,7 @@ main(int ac, char **av)
 	extern int optind;
 	int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, pid, on = 1;
 	socklen_t fromlen;
+ 	int connections_per_period_exceeded = 0;
 	int remote_major, remote_minor;
 	int silentrsa = 0;
 	fd_set *fdset;
@@ -640,6 +681,12 @@ main(int ac, char **av)
 		fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);         
 		fdset = (fd_set *)xmalloc(fdsetsz);                                  
 
+		/* Initialize the magic_connections table.  It's magical! */
+		magic_connections = calloc(MAGIC_CONNECTIONS_SIZE,
+		    sizeof(struct magic_connection));
+		if (magic_connections == NULL)
+			fatal("calloc: %s", strerror(errno));
+
 		/*
 		 * Stay listening for connections until the system crashes or
 		 * the daemon is killed with a signal.
@@ -671,9 +718,31 @@ main(int ac, char **av)
 				error("newsock del O_NONBLOCK: %s", strerror(errno));
 				continue;
 			}
+			if (options.connections_per_period != 0) {
+				struct timeval diff, connections_end;
+				struct magic_connection *mc;
+
+				(void)gettimeofday(&connections_end, NULL);
+				mc = &magic_connections[magic_hash(ai->ai_addr)];
+				diff = timevaldiff(&mc->connections_begin, &connections_end);
+				if (diff.tv_sec >= options.connections_period) {
+					/*
+					 * Slide the window forward only after completely
+					 * leaving it.
+					 */
+					mc->connections_begin = connections_end;
+					mc->connections_this_period = 1;
+				} else {
+					if (++mc->connections_this_period >
+					    options.connections_per_period)
+						connections_per_period_exceeded = 1;
+				}
+			}
+					
 			/*
-			 * Got connection.  Fork a child to handle it, unless
-			 * we are in debugging mode.
+			 * Got connection.  Fork a child to handle it unless
+			 * we are in debugging mode or the maximum number of
+			 * connections per period has been exceeded.
 			 */
 			if (debug_flag) {
 				/*
@@ -687,6 +756,12 @@ main(int ac, char **av)
 				sock_out = newsock;
 				pid = getpid();
 				break;
+			} else if (connections_per_period_exceeded) {
+				log("Connection rate limit of %u/%us has been exceeded; "
+				    "dropping connection from %s.",
+				    options.connections_per_period, options.connections_period,
+				    ntop);
+				connections_per_period_exceeded = 0;
 			} else {
 				/*
 				 * Normal production daemon.  Fork, and have
@@ -1171,6 +1246,14 @@ allowed_user(struct passwd * pw)
 				return 0;
 		}
 	}
+	/* Fail if the account's expiration time has passed. */
+	if (pw->pw_expire != 0) {
+		struct timeval tv;
+
+		(void)gettimeofday(&tv, NULL);
+		if (tv.tv_sec >= pw->pw_expire)
+			return 0;
+	}
 	/* We found no reason not to let this user try to log on... */
 	return 1;
 }
@@ -1217,6 +1300,9 @@ do_authentication()
 	pwcopy.pw_gid = pw->pw_gid;
 	pwcopy.pw_dir = xstrdup(pw->pw_dir);
 	pwcopy.pw_shell = xstrdup(pw->pw_shell);
+	pwcopy.pw_class = xstrdup(pw->pw_class);
+	pwcopy.pw_expire = pw->pw_expire;
+	pwcopy.pw_change = pw->pw_change;
 	pw = &pwcopy;
 
 	/*
@@ -1996,6 +2082,10 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
 	struct sockaddr_storage from;
 	socklen_t fromlen;
 	struct pty_cleanup_context cleanup_context;
+#ifdef LOGIN_CAP
+	login_cap_t *lc;
+	char *fname;
+#endif /* LOGIN_CAP */
 
 	/* Get remote host name. */
 	hostname = get_canonical_hostname();
@@ -2060,6 +2150,12 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
 		/* Check if .hushlogin exists. */
 		snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
 		quiet_login = stat(line, &st) >= 0;
+#ifdef LOGIN_CAP
+		lc = login_getpwclass(pw);
+		if (lc == NULL)
+			lc = login_getclassbyname(NULL, pw);
+		quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
+#endif /* LOGIN_CAP */
 
 		/*
 		 * If the user has logged in before, display the time of last
@@ -2083,6 +2179,20 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
 			else
 				printf("Last login: %s from %s\r\n", time_string, buf);
 		}
+#ifdef LOGIN_CAP
+		if (command == NULL && !quiet_login && !options.use_login) {
+			fname = login_getcapstr(lc, "copyright", NULL, NULL);
+			if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
+				while (fgets(line, sizeof(line), f) != NULL)
+					fputs(line, stdout);
+				fclose(f);
+			} else
+				(void)printf("%s\n\t%s %s\n",
+		"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+		    "The Regents of the University of California. ",
+		    "All rights reserved.");
+		}
+#endif /* LOGIN_CAP */
 		/*
 		 * Print /etc/motd unless a command was specified or printing
 		 * it was disabled in server options or login(1) will be
@@ -2091,14 +2201,22 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
 		 */
 		if (command == NULL && options.print_motd && !quiet_login &&
 		    !options.use_login) {
-			/* Print /etc/motd if it exists. */
+#ifdef LOGIN_CAP
+			fname = login_getcapstr(lc, "welcome", NULL, NULL);
+			login_close(lc);
+			if (fname == NULL || (f = fopen(fname, "r")) == NULL)
+				f = fopen("/etc/motd", "r");
+#else /* LOGIN_CAP */
 			f = fopen("/etc/motd", "r");
+#endif /* LOGIN_CAP */
+			/* Print /etc/motd if it exists. */
 			if (f) {
 				while (fgets(line, sizeof(line), f))
 					fputs(line, stdout);
 				fclose(f);
 			}
 		}
+
 		/* Do common processing for the child, such as execing the command. */
 		do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
 		/* NOTREACHED */
@@ -2240,7 +2358,8 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	 const char *display, const char *auth_proto,
 	 const char *auth_data, const char *ttyname)
 {
-	const char *shell, *cp = NULL;
+	char *shell;
+	const char *cp = NULL;
 	char buf[256];
 	FILE *f;
 	unsigned int envsize, i;
@@ -2248,15 +2367,34 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	extern char **environ;
 	struct stat st;
 	char *argv[10];
+#ifdef LOGIN_CAP
+	login_cap_t *lc;
+
+	lc = login_getpwclass(pw);
+	if (lc == NULL)
+		lc = login_getclassbyname(NULL, pw);
+#endif /* LOGIN_CAP */
 
 	f = fopen("/etc/nologin", "r");
+#ifdef __FreeBSD__
+	if (f == NULL)
+		f = fopen("/var/run/nologin", "r");
+#endif /* __FreeBSD__ */
 	if (f) {
 		/* /etc/nologin exists.  Print its contents and exit. */
-		while (fgets(buf, sizeof(buf), f))
-			fputs(buf, stderr);
-		fclose(f);
-		if (pw->pw_uid != 0)
-			exit(254);
+#ifdef LOGIN_CAP
+		/* On FreeBSD, etc., allow overriding nologin via login.conf. */
+		if (!login_getcapbool(lc, "ignorenologin", 0)) {
+#else /* LOGIN_CAP */
+		if (1) {
+#endif /* LOGIN_CAP */
+			while (fgets(buf, sizeof(buf), f))
+				fputs(buf, stderr);
+			fclose(f);
+			if (pw->pw_uid != 0)
+				exit(254);
+		}
+
 	}
 	/* Set login name in the kernel. */
 	if (setlogin(pw->pw_name) < 0)
@@ -2266,6 +2404,13 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	/* Login(1) does this as well, and it needs uid 0 for the "-h"
 	   switch, so we let login(1) to this for us. */
 	if (!options.use_login) {
+#ifdef LOGIN_CAP
+		if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY |
+		    LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) {
+			perror("setclasscontext");
+			exit(1);
+		}
+#endif /* LOGIN_CAP */
 		if (getuid() == 0 || geteuid() == 0) {
 			if (setgid(pw->pw_gid) < 0) {
 				perror("setgid");
@@ -2288,7 +2433,14 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	 * Get the shell from the password data.  An empty shell field is
 	 * legal, and means /bin/sh.
 	 */
+#ifdef LOGIN_CAP
+	shell = pw->pw_shell;
+	shell = login_getcapstr(lc, "shell", shell, shell);
+	if (shell[0] == '\0')
+		shell = _PATH_BSHELL;
+#else /* LOGIN_CAP */
 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
+#endif /* LOGIN_CAP */
 
 #ifdef AFS
 	/* Try to get AFS tokens for the local cell. */
@@ -2312,7 +2464,12 @@ do_child(const char *command, struct passwd * pw, const char *term,
 		child_set_env(&env, &envsize, "USER", pw->pw_name);
 		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+#ifdef LOGIN_CAP
+		child_set_env(&env, &envsize, "PATH",
+		    login_getpath(lc, "path", _PATH_STDPATH));
+#else /* LOGIN_CAP */
 		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+#endif /* LOGIN_CAP */
 
 		snprintf(buf, sizeof buf, "%.200s/%.50s",
 			 _PATH_MAILDIR, pw->pw_name);
@@ -2402,13 +2559,17 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	 */
 	endpwent();
 
+#ifdef LOGIN_CAP
+ 	login_close(lc);
+#endif /* LOGIN_CAP */
+
 	/*
 	 * Close any extra open file descriptors so that we don\'t have them
 	 * hanging around in clients.  Note that we want to do this after
 	 * initgroups, because at least on Solaris 2.3 it leaves file
 	 * descriptors open.
 	 */
-	for (i = 3; i < 64; i++)
+	for (i = 3; i < getdtablesize(); i++)
 		close(i);
 
 	/* Change current directory to the user\'s home directory. */
@@ -2427,6 +2588,26 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	 * in this order).
 	 */
 	if (!options.use_login) {
+#ifdef __FreeBSD__
+		/*
+		 * If the password change time is set and has passed, give the
+		 * user a password expiry notice and chance to change it.
+		 */
+		if (pw->pw_change != 0) {
+			struct timeval tv;
+
+			(void)gettimeofday(&tv, NULL);
+			if (tv.tv_sec >= pw->pw_change) {
+				(void)printf(
+				    "Sorry -- your password has expired.\n");
+				syslog(LOG_INFO,
+				    "%s Password expired - forcing change",
+				    pw->pw_name);
+				if (system("/usr/bin/passwd") != 0)
+					perror("/usr/bin/passwd");
+			}
+		}
+#endif /* __FreeBSD__ */
 		if (stat(SSH_USER_RC, &st) >= 0) {
 			if (debug_flag)
 				fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC);
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 0d40384..74652fd 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -1,14 +1,17 @@
 # This is ssh server systemwide configuration file.
+#
+# $FreeBSD$
 
 Port 22
 #ListenAddress 0.0.0.0
 #ListenAddress ::
-HostKey /etc/ssh_host_key
+HostKey __PREFIX__/etc/ssh_host_key
 ServerKeyBits 768
-LoginGraceTime 600
+LoginGraceTime 60
 KeyRegenerationInterval 3600
-PermitRootLogin yes
-#
+PermitRootLogin no
+# Rate-limit sshd connections to 5 connections per 10 seconds
+ConnectionsPerPeriod 5/10
 # Don't read ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication